Jump to content

Recommended Posts

When I click on your AdwCleaner link, I arrive here:  http://www.bleepingcomputer.com/download/adwcleaner/dl/125/

 

When I click on Download there, I arrive here:  http://www.easydocmerge.com/index.jhtml?partner=^BYU^xdm101&offer_id=1640&a=364&oc=12855&c=6837

 

I apologize for my anxiety; it's not intentional.  I'm hoping for success, since my 9:00 appointment time at Staples ($159) has come and gone. They'll take me later, but it will mean an overnight for my laptop.

 

Please tell me if it's okay to follow the links above.  I don't want to make matters worse.

Link to post
Share on other sites

# AdwCleaner v5.018 - Logfile created 07/11/2015 at 12:29:02
# Updated 05/11/2015 by Xplode
# Database : 2015-11-03.2 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Marge - MARGE-PC
# Running from : C:\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{351A01B5-849A-ECA5-2760-EE9665E223C3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{593D67B9-3A50-EBAA-17BE-61A5EC986A22}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{6AD5DFC0-A40C-4BE8-89CD-2BB198F8CA0F}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GLOBALUPDATE.EXE
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]

***** [ Web browsers ] *****

[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultenginename", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("browser.search.selectedEngine", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.mywebsearch.prevKwdEnabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.BUTTON_STRUCTURE", "[{\"b\":224540453,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":224540454,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.defaultenginename.prev", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.defaultenginename.savedPrev", "true");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.defaultenginename.tb", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.selectedEngine.prev", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.selectedEngine.savedPrev", "true");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.search.selectedEngine.tb", "Ask Web Search");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.startup.homepage", "hxxps://www.malwarebytes.org/restorebrowser//index.jhtml?ptb=55E6EBAF-AFD9-4E7A-9DDC-6A628FE296C5&n=781bdd27&p2=^Z1^xdm0[...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.startup.homepage.savedPrev", "true");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.startup.page.savedPrev", 1);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.startup.page.tb", 1);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.browser.version.last", "41.0");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.firstKnownVersion", "7.23.7.36182");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=55E6EBAF-AFD9-4E7A-9DDC-6A628FE296C5&n=781bdd27&p2=^Z1^xdm003^YYA^us&si=CMOsrJ_ohsgCFYQRHwodqdIOV[...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.hp.enabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.hp.guardType", "HPR");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.hp.user.defined", false);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.initialized", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installKeysSource", "Cookies");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installType", "XPI");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.contextKey", "");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.dlpCountryCode", "US");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.installDate", "2015092007");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerId", "^Z1^xdm003^YYA^us");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.partnerSubId", "CMOsrJ_ohsgCFYQRHwodqdIOVw");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.pixelUrl", "hxxp://download.filmfanatic.com/install_pixels.jhtml?partner=^Z1^xdm003^YYA^us&sub_id=CMOsrJ_ohsgCFYQRHwodqdIOVw&coId=4a398[...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.success", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.installation.toolbarId", "55E6EBAF-AFD9-4E7A-9DDC-6A628FE296C5");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.lastActivePing", "1443350442896");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.lastKnownVersion", "7.23.7.36182");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.defaultSearch", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.homePageEnabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.keywordEnabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.options.tabEnabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.partnerPixelFired", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.searchHistory", "hxxp://news.bbc.co.uk/2/shared/bsp/hi/pdfs/24_07_08mosleyvnewsgroup. pdfprince georgerose photophotobucket 50x50pxcsscss [...]
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.successUrl", "hxxp://download.filmfanatic.com/installComplete.jhtml");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.toolbar.ownSearch", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.toolbar.versionChanged", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark._paMembers_.toolbarCollapsed", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "filmfanatic2@mindspark.com");
[-] [C:\Users\Marge\AppData\Roaming\Mozilla\Firefox\Profiles\zjp665vk.default-1395849340789\prefs.js] [Preference] Deleted : user_pref("extensions.toolbar.mindspark.lastInstalled", "filmfanatic2@mindspark.com");
[-] [C:\Users\Marge\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : conduit.search
[-] [C:\Users\Marge\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
[-] [C:\Users\Marge\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com

*************************
:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [13237 bytes] ##########
 

Link to post
Share on other sites

I'm not sure if we're finished.

 

Please tell me if there is anything else I'm supposed to test or run or clean up.

 

I've decided that, even though Malwarebytes Premium isn't working on my desktop, I'm going to install a premium version on this laptop. 

 

i'll try to get them working right.

Link to post
Share on other sites

I see a folder   C:\$Windows~bt   that is 6.38 GB in size and is checked "hidden."  It seems unusually large.

 

I did a scan with Malwarebytes.  I installed the free version.  I didn't notice what it said when I started the scan, but now it says 14-day Trial version.

Link to post
Share on other sites

Everything appears to be working fine.  My desktop background was the first change that happened when the attack began and it remains changed -- easily fixed. When I open WordPerfect, it wants me to register, install a hotfix, and sign up for some stock photo stuff--these are new to me.

 

Neither of these is important, unless they signal lingering infection.

 

Can you offer an opinion as to whether it's safe to copy back the folders and files I moved to a flash drive?

Link to post
Share on other sites
  • Staff

Since there are no more problems, we can declare this PC clean thumbs_up_smiley.gif

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run and wait until the tool completes his work.
  • All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.
Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

Maintenance tips:Additional software that I personally use and install on all my clients devices:
  • Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
  • Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
  • McShield - to prevent infections spread by removable media.
  • Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
  • Adblock - to surf the web without annoying ads!
  • Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation: btn_donateCC_LG.gif

Thank you!

Stay safe,

TwinHeadedEagle :)

Link to post
Share on other sites

Something is very wrong with my Users folder.  I have been away for a time, and on returning, my Users Folder now contains this:

Users / Myname / .android has spawned new folders with today's date.

All of the Users/.android/AppData folders and Users/.android/Roaming folders that were there this morning are gone.

 

.android contains AppData folder and two files:  adbkey and adbkey.pub  -  all three have today's date.

 

AppData contains Local (which contains Microsoft which contains Window which contains Temporary internet Files) and

.

Roaming which contains only Dropbox.

 

adbkey and adbkey.pub are apparently a Windows Trojan.  You probably have your own sources, but I got that suggestion by way of a Search on adbkey.

Link to post
Share on other sites
  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.