Pollylop Posted October 5, 2015 ID:993837 Share Posted October 5, 2015 Hi, My son uses the home computer to play games. Unfortunately, his downloads have included lots of adware which makes it virtually impossible to browse the internet. The FRST.txt and Addition.txt files are attached. Thank you so much! J Addition.txt Link to post Share on other sites More sharing options...
Pollylop Posted October 5, 2015 Author ID:993838 Share Posted October 5, 2015 FRST.txt file attachedFRST.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 6, 2015 ID:993856 Share Posted October 6, 2015 Welcome to the forum.....What a mess!!!! Before we begin, please create a new system restore point and....... Download Delfix from Here and save it to your desktop.Place a check mark in front of .......Create registry backup <---only!Uncheck the rest!Click the Run button. Close the tool out when it's done....we'll use it later. ================================== Please uninstall all of these programs if possible. You can use Revo Uninstaller Free to ease the process if needed: Please download and install Revo Uninstaller Free http://www.revouninstaller.com/start_freeware_download.html Double click Revo Uninstaller to run it. From the list of programs double click on The Program to remove When prompted if you want to uninstall click Yes. Be sure the Moderate option is selected then click Next. The program will run, If prompted again click Yes when the built-in uninstaller is finished click on Next. Once the program has searched for leftovers click Next. Check/tick the bolded items only on the list then click Delete when prompted click on Yes and then on next. put a check on any folders that are found and select delete when prompted select yes then on next Once done click Finish. 7-zip v9.20 bauyfast cHieuAp4all Codec Pack Packages ddailyprize Dealply DealPly (remove only) Delta Chrome Toolbar Delta toolbar DNS Unlocker version 1.4 dolllArsaiver faastsaler Hearthstone Stream Browser HQCinema Pro 2.1V28.02 iLivid lloWraatee MyPC Backup noIcenufReie ofeferdeal oiffersale omniboxes uninstall OverTask quiCCkshop raoCCketdeala Remote Desktop Access shopshop Super Optimizer v3.2 Update for Codec Pack ============================================= Next: Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe. Run FRST.exe/FRST64.exe and click Fix only once and wait The tool will create a log (Fixlog.txt) in the folder, please post it to your reply. ========================== Lets check for any adware/spyware now: Please download AdwCleaner from HERE or HERE to your desktop.Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As AdministratorClick on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.When it's done you'll see: Pending: Please uncheck elements you don't want removed.Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.Look over the log especially under Files/Folders for any program that may have been targeted by mistake.If there's a program you may want to save, just uncheck it from AdwCleaner.If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)If you're ready to clean it all up.....click the Clean button.After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.Copy and paste the contents of that logfile in your next reply.A copy of that logfile will also be saved in the C:\AdwCleaner folder.Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\QuarantineTo restore an item that has been deleted:Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.Next.................. Please download Junkware Removal Tool to your desktop.Shut down your protection software now to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.The tool will open and start scanning your system.Please be patient as this can take a while to complete depending on your system's specifications.On completion, a log (JRT.txt) is saved to your desktop and will automatically open.Post the contents of JRT.txt into your next message.Next......... Please Update and run a Threat Scan (Malwarebytes) Click on settings > Detection and Protection > Non-Malware Protection > PUP (Potentially Unwanted Program) detections > Make sure it's set to Treat detections as malware Same for PUM (Potentially Unwanted Modifications) Quarantine All that's found To download, install and run Malwarebytes: https://www.malwarebytes.org/mwb-download/<---download from here http://www.tomsguide.com/us/malwarebytes-how-to,news-18841.html<---guide MrC fixlist.txt Link to post Share on other sites More sharing options...
Pollylop Posted October 8, 2015 Author ID:994375 Share Posted October 8, 2015 Thanks, that's made a big difference ! I've attached the logs as requested:Fixlog.txtAdwCleaner.txtJRT.txt Thanks !JFixlog.txtAdwCleanerC1.txtJRT.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 8, 2015 ID:994383 Share Posted October 8, 2015 Great!...let's see if we missed anything: Please re-scan with FRST and Make sure the Addition Box is checked. http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png Post or attach the 2 logs FRST.txt and Addition.txt MrC Link to post Share on other sites More sharing options...
MrCharlie Posted October 14, 2015 ID:995430 Share Posted October 14, 2015 How are we doing?? Do you still need help or can I close this post?? MrC Link to post Share on other sites More sharing options...
Pollylop Posted October 15, 2015 Author ID:995747 Share Posted October 15, 2015 Hi, Thanks for the new instructions; will run these this evening... J Link to post Share on other sites More sharing options...
Pollylop Posted October 15, 2015 Author ID:995857 Share Posted October 15, 2015 Hi, Please find two files attached... JFRST.txtAddition.txt Link to post Share on other sites More sharing options...
MrCharlie Posted October 16, 2015 ID:995871 Share Posted October 16, 2015 Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.Run FRST.exe/FRST64.exe and click Fix only once and waitThe tool will create a log (Fixlog.txt) in the folder, please post it to your reply.========================CHR dev: Chrome dev build detected! <======= ATTENTIONGoogle Chrome has been compromised!The malware has modified your Google Chrome to the development version which makes you vulnerable to future infection. We need to uninstall Google Chrome and then download/re-install a new version.https://support.google.com/chrome/answer/95319?hl=en<---uninstallhttps://support.google.com/chrome/answer/95346?hl=en<---download and installLet me know how it is.....MrCfixlist.txt Link to post Share on other sites More sharing options...
Pollylop Posted October 31, 2015 Author ID:999001 Share Posted October 31, 2015 Hi, Having followed your instructions, I ran Opera, Chrome and Firefox. Opera and seem okay but Firefox still dogged by all sorts of rubbish. Fixlog.txt content: Fix result of Farbar Recovery Scan Tool (x64) Version:31-10-2015Ran by Daddy (2015-10-31 12:41:06) Run:2Running from C:\Users\Daddy\Desktop\MalwarebytesLoaded Profiles: Daddy (Available Profiles: Daddy & Sam & Nellie)Boot Mode: Normal==============================================fixlist content:*****************CreateRestorePoint:C:\ProgramData\Internet Helper Anti-phishingHKLM-x32\...\Run: [internet Helper Anti-phishing] => C:\ProgramData\Internet Helper Anti-phishing\internetHelper_antiphishing.exe [235072 2013-05-14] (Internet Helper)SearchScopes: HKU\S-1-5-21-3623026587-3860720058-271737125-1001 -> {FDF1F1B1-5BD8-4234-BB21-BF6253A2DD58} URL = hxxps://uk.search.yahoo.com/yhs/search?hspart=iry&hsimp=yhs-fullyhosted_003&type=wny_wnzp_15_09¶m1=1¶m2=f%253D4%26b%3DIE%26cc%3Dgb%26pa%3DWinYahoo%26cd%3D2XzuyEtN2Y1L1Qzu0CtD0C0BtAzzyByB0DtB0DzytCyCyBtCtN0D0Tzu0StCtCyDtBtN1L2XzutAtFyBtFyCtFtCtN1L1CzutN1L1G1B1V1N2Y1L1Qzu2SyCyEtBzzzyzztByCtG0CtD0FyDtG0CtB0A0CtG0DtAyBzztGyB0B0DtCtA0C0B0CyEtD0AyB2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyC0E0DtC0AyCzy0BtG0E0F0D0EtGyEyEyByBtG0A0Bzy0EtG0DzyyE0CyD0AyDyEtA0D0CyD2Q%26cr%3D790217884%26a%3Dwny_wnzp_15_09%26os%3DWindows 7 Home Premium&p={searchTerms}FF Extension: Summer Sports - C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\cy7hpxr5.default\Extensions\BJ35iqJ@gmail.com [2015-05-27]CHR HomePage: Default -> hxxp://www.omniboxes.com/?type=hp&ts=1425140025&from=obw&uid=WDCXWD1001FAES-75W7A0_WD-WCATR541459314593CHR StartupUrls: Default -> "hxxp://www.omniboxes.com/?type=hp&ts=1425140025&from=obw&uid=WDCXWD1001FAES-75W7A0_WD-WCATR541459314593"CHR Extension: (ciajakjjdopefddbfcjpiabklfjjdmjn) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciajakjjdopefddbfcjpiabklfjjdmjn [2015-04-01]CHR Extension: (kikeacjcceacohckgiajooneiabebfjj) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kikeacjcceacohckgiajooneiabebfjj [2015-03-04]CHR Extension: (Summer Sports) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnpddjhhjmmcnjbjdbopmniafbpfppkb [2015-05-27]CHR Extension: (ciajakjjdopefddbfcjpiabklfjjdmjn) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ciajakjjdopefddbfcjpiabklfjjdmjn [2015-04-01]CHR Extension: (kikeacjcceacohckgiajooneiabebfjj) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kikeacjcceacohckgiajooneiabebfjj [2015-03-04]CHR Extension: (Summer Sports) - C:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lnpddjhhjmmcnjbjdbopmniafbpfppkb [2015-05-27]S3 PCDSRVC{1E208CE0-FB7451FF-06020101}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]S1 xxqcbaox; \??\C:\Windows\system32\drivers\xxqcbaox.sys [X]C:\Windows\system32\drivers\xxqcbaox.sysC:\Users\Daddy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpo6c19z.dllC:\Users\Daddy\AppData\Local\Temp\GURF91D.exeC:\Users\Daddy\AppData\Local\Temp\sqlite3.dllCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Daddy\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File*****************Restore point was successfully created.C:\ProgramData\Internet Helper Anti-phishing => moved successfullyHKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\Internet Helper Anti-phishing => value removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FDF1F1B1-5BD8-4234-BB21-BF6253A2DD58}" => key removed successfullyHKCR\CLSID\{FDF1F1B1-5BD8-4234-BB21-BF6253A2DD58} => key not found.C:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\cy7hpxr5.default\Extensions\BJ35iqJ@gmail.com => moved successfullyC:\Users\Daddy\AppData\Roaming\Mozilla\Firefox\Profiles\cy7hpxr5.default\Extensions\BJ35iqJ@gmail.com => path removed successfullyChrome HomePage => removed successfullyChrome StartupUrls => removed successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\ciajakjjdopefddbfcjpiabklfjjdmjn => moved successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\kikeacjcceacohckgiajooneiabebfjj => moved successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Default\Extensions\lnpddjhhjmmcnjbjdbopmniafbpfppkb => moved successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\ciajakjjdopefddbfcjpiabklfjjdmjn => moved successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\kikeacjcceacohckgiajooneiabebfjj => moved successfullyC:\Users\Daddy\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\lnpddjhhjmmcnjbjdbopmniafbpfppkb => moved successfullyPCDSRVC{1E208CE0-FB7451FF-06020101}_0 => Service stopped successfully.PCDSRVC{1E208CE0-FB7451FF-06020101}_0 => service removed successfullyxxqcbaox => service not found."C:\Windows\system32\drivers\xxqcbaox.sys" => not found."C:\Users\Daddy\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpo6c19z.dll" => not found.C:\Users\Daddy\AppData\Local\Temp\GURF91D.exe => moved successfullyC:\Users\Daddy\AppData\Local\Temp\sqlite3.dll => moved successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully"HKU\S-1-5-21-3623026587-3860720058-271737125-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully==== End of Fixlog 12:42:00 ==== Link to post Share on other sites More sharing options...
MrCharlie Posted October 31, 2015 ID:999066 Share Posted October 31, 2015 Reset FireFox:https://support.mozilla.org/en-US/kb/refresh-firefox-reset-add-ons-and-settings Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted May 10, 2016 Root Admin ID:1038963 Share Posted May 10, 2016 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts