Help for Removing Trojan:Win64/patched.az.gen!dll

[Grandma_T]

My grandson brought his computer to me several weeks ago because of pop-up ads and redirecting web pages. I tried doing a cleanup and uninstalling some adware programs. When I tried to open Windows Defender, I would get an error that it was turned off by Group Policy and to contact the Group Administrator.  That's when I realized he had been infected.  I then ran Easy Recovery Essentials and it removed a few adware problems, but still not all.  Downloaded Windows Defender Offline to a Flash Drive and tried it but it needed updates. By this time the virus wouldn't let him go online. He does not have a WiFi adapter, so we have always connected by Ethernet cable. It shows all is good.  It says he is connected to the network with internet access, but when I try to open any browser it says "this page cannot be displayed". No network connection. I can't remember how, but I had read somewhere how to re-enable Windows Defender. Then I finally downloaded updated definitions for Windows Defender to a flash drive by using my computer and  was able to update his, and run a scan which showed the Trojan:Win64/patched.az.gen!dll virus. 

 

I have been researching this daily and ran onto your forum. If you can be of any help it would be greatly appreciated!!!

 

I have seen where you usually begin by using FRST.  I have already done this first step and attaching the files for you.

 

 

Thank you in advance,

"One TIRED and DISTRAUGHT Grandma"

 

 

FRST.txt

Addition.txt

[Grandma_T]

He is running OS Windows 8 

[TwinHeadedEagle]

Hello,

    

 

They call me TwinHeadedEagle around here, and I'll try to help your with your issue.

 

     

    

Before we start please read and note the following:

• We're primarily oriented on malware removal here, so you must know that some issues just cannot be solved and you must be prepared for this. Some tools we use here will remove your browser search history, so backup your important links and all the files whose loss is unacceptable.
• Note that we may live in totally different time zones, what may cause some delays between answers.
• Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
• Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
• Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

I can't foresee everything, so if anything not covered in my instructions happens, please stop and inform me!

There are no silly questions. Never be afraid to ask if in doubt!

 

 

 

  Rules and policies

 

We won't support any piracy.

That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!

The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

 

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

---

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Accept the Terms of use.
• Wait until the database is updated.
• Click Scan.
• When finished, please click Cleaning.
• Your PC should reboot now.
• After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

---

FRST search

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Copy ds*.bin;dnsapi.dll into the Search: field in FRST then click the Search Files button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

[Grandma_T]

I ran AdwCleaner.  Here is the log file:

 

# AdwCleaner v5.025 - Logfile created 17/12/2015 at 10:43:45
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [Local]
# Operating system : Windows 8  (x64)
# Username : tyler - TYLER
# Running from : C:\Users\tyler\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : FindingDiscount
[-] Service Deleted : Orbiter
[-] Service Deleted : SPPD
[-] Service Deleted : NETTCPHANDLER
[-] Service Deleted : sys_service
[-] Service Deleted : swsedrvr_vw_1_10_0_25

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files\groover271120150045
[-] Folder Deleted : C:\Program Files\shopperz261120150005
[-] Folder Deleted : C:\Program Files\shopperz271120150257
[-] Folder Deleted : C:\Program Files (x86)\globalUpdate
[-] Folder Deleted : C:\Program Files (x86)\jZip
[-] Folder Deleted : C:\Program Files (x86)\Object Browser
[-] Folder Deleted : C:\Program Files (x86)\SearchProtect
[-] Folder Deleted : C:\Program Files (x86)\ShopperPro
[-] Folder Deleted : C:\Program Files (x86)\YTDownloader
[-] Folder Deleted : C:\Program Files (x86)\ORBTR
[-] Folder Deleted : C:\Program Files (x86)\Windows Discount
[-] Folder Deleted : C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager
[-] Folder Deleted : C:\Program Files (x86)\Exploremedia
[-] Folder Deleted : C:\Program Files (x86)\Feed Notifier
[-] Folder Deleted : C:\Program Files (x86)\SystemManager
[-] Folder Deleted : C:\Program Files (x86)\03AA02FC-1448579656-055A-1406-5E0700080009
[!] Folder Not Deleted : C:\Program Files (x86)\Object Browser
[-] Folder Deleted : C:\Program Files\Common Files\ShopperPro
[-] Folder Deleted : C:\ProgramData\ShopperPro
[-] Folder Deleted : C:\ProgramData\HealthAlert
[-] Folder Deleted : C:\ProgramData\Windows Discount
[-] Folder Deleted : C:\ProgramData\FlashBeat
[-] Folder Deleted : C:\ProgramData\MovieDeaConfig
[-] Folder Deleted : C:\ProgramData\PlayGemConfig
[!] Folder Not Deleted : C:\ProgramData\HealthAlert
[-] Folder Deleted : C:\ProgramData\28341ff220e0446c9fff27c4493d622e
[-] Folder Deleted : C:\ProgramData\Service1291
[-] Folder Deleted : C:\Users\Public\Documents\ShopperPro
[-] Folder Deleted : C:\Users\tyler\AppData\Local\globalUpdate
[-] Folder Deleted : C:\Users\tyler\AppData\Local\SearchProtect
[-] Folder Deleted : C:\Users\tyler\AppData\Local\SmartWeb
[-] Folder Deleted : C:\Users\tyler\AppData\Local\HealthAlert
[-] Folder Deleted : C:\Users\tyler\AppData\Local\BrowserHelper
[-] Folder Deleted : C:\Users\tyler\AppData\Local\DailyWiki
[+] Folder Deleted : C:\Users\tyler\AppData\Local\Birds
[!] Folder Not Deleted : C:\Users\tyler\AppData\Local\HealthAlert
[-] Folder Deleted : C:\Users\tyler\AppData\Local\03AA02FC-1448561763-055A-1406-5E0700080009
[-] Folder Deleted : C:\Users\tyler\AppData\Local\Installer\Install_13226
[-] Folder Deleted : C:\Users\tyler\AppData\LocalLow\SmartWeb
[-] Folder Deleted : C:\Users\tyler\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
[-] Folder Deleted : C:\Users\tyler\AppData\Roaming\Systweak
[-] Folder Deleted : C:\Users\tyler\AppData\Roaming\shortCutStore
[-] Folder Deleted : C:\Users\tyler\AppData\Roaming\RunDir
[-] Folder Deleted : C:\Users\tyler\AppData\Roaming\NetService
[-] Folder Deleted : C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\YTDownloader
[#] Folder Deleted : C:\Windows\SysNative\Tasks\jZip
[#] Folder Deleted : C:\Windows\SysNative\Tasks\RegClean Pro
[#] Folder Deleted : C:\Windows\SysNative\Tasks\ShopperPro
[#] Folder Deleted : C:\Windows\SysNative\Tasks\YTDownloader

***** [ Files ] *****

[-] File Deleted : C:\END
[-] File Deleted : C:\task.vbs
[-] File Deleted : C:\Users\Public\Desktop\eBay.lnk
[-] File Deleted : C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jZip.lnk
[-] File Deleted : C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartWeb.lnk
[-] File Deleted : C:\Users\tyler\Desktop\Live PC Help.lnk
[-] File Deleted : C:\Windows\AppPatch\Custom\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb
[-] File Deleted : C:\Windows\AppPatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb
[-] File Deleted : C:\Windows\SysNative\roboot64.exe

***** [ DLLs ] *****

[-] File Restored : C:\Windows\SysWOW64\dnsapi.dll

***** [ Shortcuts ] *****

[-] Shortcut Disinfected : C:\Users\tyler\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet-Explorer.lnk
[-] Shortcut Disinfected : C:\Users\tyler\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet-Explorer Browser.lnk

***** [ Scheduled tasks ] *****

[-] Task Deleted : Inst_Rep
[-] Task Deleted : RegClean Pro
[-] Task Deleted : RegClean Pro_DEFAULT
[-] Task Deleted : RegClean Pro_UPDATES
[-] Task Deleted : ShopperPro
[-] Task Deleted : ShopperProJSUpd
[-] Task Deleted : SmartWeb Upgrade Trigger Task
[-] Task Deleted : SPDriver
[-] Task Deleted : YTDownloader
[-] Task Deleted : YTDownloaderUpd
[-] Task Deleted : runTask
[-] Task Deleted : updateTask
[-] Task Deleted : IBUpd
[-] Task Deleted : systemmgr
[-] Task Deleted : SPBIW_UpdateTask_Time_333532363537373230352d4a5b5b345a417845455a376c
[-] Task Deleted : XXYCLAMQOFXKLYXB
[-] Task Deleted : Inst_Rep

***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ShopperPro.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\ShopperPro.ShopperProBHO
[-] Key Deleted : HKLM\SOFTWARE\Classes\ShopperPro.ShopperProBHO.1
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [sPDriver]
[-] Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [sPDriver]
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ShopperPro.exe
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\YTDownloader.exe
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\MediaPlayer\ShimInclusionList\BrowserAir.exe
[-] Value Deleted : HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION [MovieDea.exe]
[-] Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\NetTcpHandler
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\F53E693DDABF57A88A9B12B608B09B26C0608B74
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\D830B6B8939ACB4928401060203BB648456BB4F8
[-] Key Deleted : HKLM\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\ROOT\CERTIFICATES\A7BD54B233B5B2F70AF86F5BD1A0C0A772A59FC6
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [gmsd_us_005010158]
[-] Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [gmsd_us_005010160]
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKCU\Software\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{459DD0F7-0D55-D3DC-67BC-E6BE37E9D762}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{61AB12E1-A5FF-11D1-B2E9-444553540000}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{0AB507EB-3BD7-45BC-B487-E85781CD15B3}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{40DB3DC7-C617-4D2F-998B-70C898F90CFC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{4198D5D1-E99C-41AC-8F29-81CEEF4C5872}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{5AEC60CE-5436-485E-9600-1C52166327A7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6069101D-CB81-4611-8AB4-2C9A31F24850}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{83B0348E-4243-40E8-838B-95584E64A74E}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A056CA83-910B-4995-87A8-99FBFF273F6D}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{C6A0D5A8-F852-4AE4-9535-E82EBE7C05BA}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{8FB1A663-2820-468B-95C4-5060A4C5F413}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
[!] Key Not Deleted : HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2D983890-49F4-430B-8B9F-CCC730631C76}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{3634EE7D-F43A-4941-8A01-D4EFC699EDCC}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{4CEB5580-AEC9-4F6B-8CA5-A193724368B7}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CDD71519-669F-41AD-8D84-9716F1C105D8}
[-] Key Deleted : HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03C0AC00-86DE-4B55-81BA-2E7CD61C51B1}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0DC81A74-1FBD-4EF6-82B2-DE3FA05E8233}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{1B26E4A2-7F09-4365-9AB8-13E6891E42CB}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{21402197-BB5B-476C-AA1D-3FFED8ED813A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{42E8D680-A18B-4CAA-ACE0-18EA05E4A056}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{454A4044-16EC-4D64-9069-C5B8832B7B55}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4FEB1BAD-35AD-4A08-B6EC-E6D832F1ED4D}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{8F2B3016-17D4-447A-B207-FFA8957A834A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E66B63B0-49F8-47E3-A9BA-799287B59E87}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{F8FA5B48-B7A2-4BC6-8389-9587643A4660}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{0AB507EB-3BD7-45BC-B487-E85781CD15B3}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{40DB3DC7-C617-4D2F-998B-70C898F90CFC}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{4198D5D1-E99C-41AC-8F29-81CEEF4C5872}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5AEC60CE-5436-485E-9600-1C52166327A7}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6069101D-CB81-4611-8AB4-2C9A31F24850}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{83B0348E-4243-40E8-838B-95584E64A74E}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A056CA83-910B-4995-87A8-99FBFF273F6D}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{C6A0D5A8-F852-4AE4-9535-E82EBE7C05BA}
[!] Key Not Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\powerpack
[-] Key Deleted : HKCU\Software\SearchProtect
[-] Key Deleted : HKCU\Software\ShopperPro
[-] Key Deleted : HKCU\Software\YTDownloader
[-] Key Deleted : HKCU\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKCU\Software\SpaceSoundPro
[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKCU\Software\Reg\Clean
[-] Key Deleted : HKCU\Software\tstamptoken
[-] Key Deleted : HKCU\Software\Microsoft\Tinstalls
[-] Key Deleted : HKCU\Software\Object Browser-nv-ie
[-] Key Deleted : HKCU\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[-] Key Deleted : HKCU\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
[-] Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
[-] Key Deleted : HKCU\Software\AppDataLow\Software\SmartWeb
[-] Key Deleted : HKCU\Software\AppDataLow\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\DailyWiki
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\Crossrider
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKLM\SOFTWARE\CompeteInc
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[-] Key Deleted : HKLM\SOFTWARE\SearchProtect
[-] Key Deleted : HKLM\SOFTWARE\ShopperPro
[-] Key Deleted : HKLM\SOFTWARE\Tutorials
[-] Key Deleted : HKLM\SOFTWARE\ORBTR
[-] Key Deleted : HKLM\SOFTWARE\YTDownloader
[-] Key Deleted : HKLM\SOFTWARE\SPPDCOM
[-] Key Deleted : HKLM\SOFTWARE\FlashBeat
[-] Key Deleted : HKLM\SOFTWARE\Linkey
[-] Key Deleted : HKLM\SOFTWARE\MovieDea
[-] Key Deleted : HKLM\SOFTWARE\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKLM\SOFTWARE\SpaceSondPro
[-] Key Deleted : HKLM\SOFTWARE\PlayGem
[-] Key Deleted : HKLM\SOFTWARE\Reg\Clean
[-] Key Deleted : HKLM\SOFTWARE\im-dosearch
[-] Key Deleted : HKLM\SOFTWARE\NetTcpHandler
[-] Key Deleted : HKLM\SOFTWARE\NtSvcHandler
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShopperPro
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SU
[-] Key Deleted : [x64] HKLM\SOFTWARE\ShopperPro
[-] Key Deleted : [x64] HKLM\SOFTWARE\FlashBeat
[-] Key Deleted : [x64] HKLM\SOFTWARE\Linkey
[-] Key Deleted : [x64] HKLM\SOFTWARE\BrowserAir
[-] Key Deleted : [x64] HKLM\SOFTWARE\im-dosearch
[-] Key Deleted : [x64] HKLM\SOFTWARE\SAKURA
[-] Key Deleted : HKU\.DEFAULT\Software\Object Browser-nv
[-] Key Deleted : HKU\.DEFAULT\Software\Object Browser-nv-ie
[-] Key Deleted : HKU\.DEFAULT\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[-] Key Deleted : HKU\.DEFAULT\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Compete
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKU\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Installer
[-] Key Deleted : HKU\.DEFAULT\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKU\S-1-5-19\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[-] Key Deleted : HKU\S-1-5-19\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[-] Key Deleted : HKU\S-1-5-20\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[-] Key Deleted : HKU\S-1-5-20\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\GlobalUpdate
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\powerpack
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\SearchProtect
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\ShopperPro
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\YTDownloader
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\SpaceSoundPro
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\DAILYPCCLEAN
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\Reg\Clean
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\tstamptoken
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\Microsoft\Tinstalls
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\Object Browser-nv-ie
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\AppDataLow\Software\Crossrider
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\AppDataLow\Software\DynConIE
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\AppDataLow\Software\SmartWeb
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\AppDataLow\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[!] Key Not Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\AppDataLow\Software\DailyWiki
[-] Key Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Installer
[-] Key Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001_Classes\Software\{49CB9315-C563-420F-a6F0-584292B8BF70}
[-] Key Deleted : HKU\S-1-5-21-1163751298-4046332558-3257735069-1001_Classes\Software\{CD6D8D00-698A-4986-8DCF-396C67D745A8}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GLOBALUPDATE.EXE
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{4D1E960B-6EB5-4E6C-8A6C-22F5B6B51490} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{809099AD-7881-4BD4-9605-3362708FB840} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{9343B7F7-DDE3-4F7B-9B83-7936C022D916} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979} [NameServer]
[-] Data Restored : HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{D4A261C7-F2A9-48FC-BD50-106ABFB1BB77} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{4D1E960B-6EB5-4E6C-8A6C-22F5B6B51490} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{809099AD-7881-4BD4-9605-3362708FB840} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{9343B7F7-DDE3-4F7B-9B83-7936C022D916} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{97e1de57-d6fa-11e1-be62-806e6f6e6963} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{C02CAB3E-C922-4371-A1DD-E72CF76EF979} [NameServer]
[-] Data Restored : HKLM\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{D4A261C7-F2A9-48FC-BD50-106ABFB1BB77} [NameServer]

***** [ Web browsers ] *****

[-] [C:\Users\tyler\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [startup_URLs] Deleted : hxxp://www.trovi.com/?gd=&ctid=CT3325161&octid=EB_ORIGINAL_CTID&ISID=M73061DC8-12B7-4395-A412-4B05075C9A85&SearchSource=55&CUI=&UM=8&UP=SP049BE19A-A5FC-41E9-8783-85C3C7020FF9&D=112615&SSPV=
[-] [C:\Users\tyler\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : booedmolknjekdopkepjjeckmjkdpfgl
[-] [C:\Users\tyler\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : flpcjncodpafbgdpnkljologafpionhb

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [21819 bytes] ##########

 

 

 

I have also attached the FRST search log.

 

 

 

 

Search.txt

[TwinHeadedEagle]

Okay, let's use FRST again:
 
 
Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

[Grandma_T]

_{Thank You...   I have completed this step and attached both files.}

FRST.txt

Addition.txt

[TwinHeadedEagle]

Fix with Farbar Recovery Scan Tool
 

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please upload it to your reply.

fixlist.txt

[Grandma_T]

Since I can't connect the infected computer to the internet, I have been downloading everything to a flash drive from my computer and transferring it to the desktop of the infected computer. I did this with the fixlist.txt also.

 

I had the following errors occur:

 

ipconfig.exe - Application Error: "The application was unable to start correctly (0xc0000906). Click OK to close the application." I clicked OK.

 

IP Configuration Utility: "IP Configuration Utility has stopped working correctly.  Windows will close the program and notify you if a solution is available." Only option wasto click Close program.  I did.

 

After that the FRST said it completed and to restart. I clicked OK, but when it restarted the computer, I received a Windows Boot Manager error and then the computer shut down. I have attached a pic of the screen before it shut off.

[TwinHeadedEagle]

Yes,  your PC is heavily infected, so this is collateral damage. I am confident we can fix this:
 
 
Please download Farbar Recovery Scan Tool x64 and save it to a flash drive.

• Plug the flashdrive into the infected PC.
• Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
• Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.
• In the Choose Recovery Tool menu select Command Prompt.
• You will see a big black window with a blinking cursor (command prompt).
   
   
   
  Access the notepad and identify your USB drive
   
  In the Command Prompt please type in:
  

  notepad

  and press Enter.
• When the notepad opens, go to File menu.
• Select Open.
• Go to Computer and search there for your USB drive letter.
• Note down the letter and close the notepad.
   
   
   
  Scan with Farbar Recovery Scan Tool
   
  Once back in the command prompt window, please do the following:
• Type in e:\frst64.exe and press Enter.
  You need to replace e with the letter of your USB drive taken from notepad!
• FRST will start to run. Give him a minute or so to load itself.
• Click Yes to Disclaimer.
• In the main console, please click Scan and wait.
• When finished it will produce a logfile named FRST.txt in the root of your pendrive and display it. Close that logfile.
   
  Transfer it to your clean machine and include it in your next reply.

[Grandma_T]

I have Farbar Recovery Scan Tool on my flash, but pressing F8 does not work on the infected machine.  It still comes up with the same screen as the photo I had sent to you. I do remember from a previous encounter that pressing F8 repeatedly at boot no longer works on some Windows 8.  I had found another way that worked. I thought that I had it saved somewhere on my PC but have been unable to locate it now.  Is there any way to get to this through the BIOS?  The Motherboard is a Gigabyte (GA-F2A88X-UP4).

[TwinHeadedEagle]

Do you have second machine from which you can create recovery drive?

[Grandma_T]

It would have to be running Windows 8 also, am I correct?   The only two I have are the infected machine and mine, that I am using now.  Mine is running Windows 8.1.

[TwinHeadedEagle]

You can create USB recovery drive by following this guide:

 

http://www.eightforums.com/tutorials/5132-recovery-drive-create-usb-flash-drive-windows-8-a.html

[Grandma_T]

Thank you.  I will reply as soon as I get it done for further instructions.  I appreciate your help.

[TwinHeadedEagle]

Okay, when you create USB recovery drive, you need to copy FRST on it, and then to enter recovery.

[Grandma_T]

Sorry I am taking up so much of your time, but I have 2 questions. Which machine am I to make the USB recovery from....  and could you please explain what you mean by then to enter recovery?

[Grandma_T]

Hello again.. After many hours of research and retracing steps that I have had to do before, I finally got the infected PC to boot up to Windows again.  I also went ahead and ran Windows Defender again.

Then I started back at the beginning of what all you had me do before up to but NOT including the FRST search.  I am attaching everything here, and will wait until I hear from you on what to do about doing a search with FRST.

 

 

Here is a copy of the AdwCleaner logfile....

 

 

 

# AdwCleaner v5.025 - Logfile created 20/12/2015 at 02:22:47
# Updated 13/12/2015 by Xplode
# Database : 2015-12-13.2 [Local]
# Operating system : Windows 8  (x64)
# Username : tyler - TYLER
# Running from : C:\Users\tyler\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\SearchProtect
[-] Folder Deleted : C:\Users\tyler\AppData\Local\SearchProtect

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [767 bytes] ##########

 

 

 

FRST.txt

Addition.txt

[TwinHeadedEagle]

I don't see signs of malware now. How is your PC behaving?
 

---

Let's make one final scan:
 
Scan with Malwarebytes' Anti-Malware
 
Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update.
• Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
• In the same tab, under PUP and PUM detections make sure it is set to Treat detections as malware.
• Click the Scan tab, choose Threat Scan is checked and click Start Scan.
• If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs and double-click the Scan Log.
• At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.

[Grandma_T]

Hello again, TwinHeadedEagle...  Sorry for the delay in my response.   I am glad to report that I am now replying from the machine that we have been working on.  I have been able to access the internet from it now.  I downloaded Malwarebytes Anti-Malware and ran the scan. I am including the Scan Log below.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/21/2015
Scan Time: 4:28 PM
Logfile: Scan Log (malwarebytes).txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.21.06
Rootkit Database: v2015.12.18.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8
CPU: x64
File System: NTFS
User: tyler

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 321222
Time Elapsed: 14 min, 44 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 23
PUP.Optional.ConsumerInput, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7D87094D-49E1-4C72-8C9E-3D937A119BE5}, Quarantined, [e2d80c9b3a51c96d798bb9a9ec1611ef],
PUP.Optional.ConsumerInput, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7D87094D-49E1-4C72-8C9E-3D937A119BE5}, Quarantined, [e2d80c9b3a51c96d798bb9a9ec1611ef],
PUP.Optional.DeskBar, HKLM\SOFTWARE\MICROSOFT\TRACING\DeskBar_RASAPI32, Quarantined, [615984230b806fc7e9ccbc15857ede22],
PUP.Optional.DeskBar, HKLM\SOFTWARE\MICROSOFT\TRACING\DeskBar_RASMANCS, Quarantined, [932742655c2fe056466f1ab733d0e11f],
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32LDR  , Quarantined, [02b8abfc5a31e45224558d3606fd817f],
PUP.Optional.SearchProtect.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}, Quarantined, [c4f60a9d8b00ee4847840cfa4fb555ab],
PUP.Optional.SearchProtect.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}, Quarantined, [dae02e795c2f6ccad9f39d6961a33ac6],
PUP.Optional.SwiftSearch, HKLM\SOFTWARE\WOW6432NODE\SwiftSearch_1.10.0.25, Quarantined, [1e9cb2f5c4c7979f2b7ceed219ea09f7],
PUP.Optional.SystemSpeedup, HKLM\SOFTWARE\WOW6432NODE\SYSTWEAK\ssd, Quarantined, [6e4c3572b9d2270fa1721ea7b74b47b9],
PUP.Optional.Shopperz.BrwsrFlsh, HKU\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTERNETREGISTRY\REGISTRY\USER\S-1-5-18\SOFTWARE\shopperz261120150005, Quarantined, [b00a782facdf5ed81804ac6111f38c74],
PUP.Optional.Shopperz.BrwsrFlsh, HKU\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTERNETREGISTRY\REGISTRY\USER\S-1-5-18\SOFTWARE\shopperz271120150030, Quarantined, [dfdb1f88f299b6802fed8f7efd07fa06],
PUP.Optional.Shopperz.BrwsrFlsh, HKU\.DEFAULT\SOFTWARE\MICROSOFT\INTERNET EXPLORER\INTERNETREGISTRY\REGISTRY\USER\S-1-5-18\SOFTWARE\shopperz271120150257, Quarantined, [95250b9c6a218fa75dbf947961a3e41c],
PUP.Optional.iWebar, HKU\S-1-5-18\SOFTWARE\iWebar-nv, Quarantined, [9f1b8f180e7d40f63f309c09d330b749],
PUP.Optional.iWebar, HKU\S-1-5-18\SOFTWARE\iWebar-nv-ie, Quarantined, [24969314f79459dd76f97530e51e52ae],
PUP.Optional.ConsumerInput, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\ConsumerInput, Quarantined, [ffbbe2c53a51e1551f09138002016a96],
PUP.Optional.InstantSupport, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\ISTab, Quarantined, [52680e990289ba7c4ae18b7f986cd62a],
PUP.Optional.iWebar, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\iWebar-nv-ie, Quarantined, [c8f21e89dbb04ee8244b644150b331cf],
Adware.NowUSeeIt, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\NowUSeeItPlayer, Quarantined, [af0be6c1a3e889ad523f6f8722e1f40c],
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\3DODO, Quarantined, [299111964942092de7e631d9f90b4cb4],
PUP.Optional.PCAcceleratePro, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\APTAB, Quarantined, [4f6b3b6c1e6ddb5bdbf8759509fb60a0],
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\ARAPONGA, Quarantined, [64564760830895a1bb13ae5c60a4867a],
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\BIRDS, Quarantined, [1e9c7a2d5a3157dfebe4e129d82c1ce4],
PUP.Optional.SystemSpeedup, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\SYSTWEAK\ssd, Quarantined, [6159d7d04447d75f53bf7352d72ba15f],

Registry Values: 26
PUP.Optional.ConsumerInput, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7D87094D-49E1-4C72-8C9E-3D937A119BE5}|AppPath, C:\Program Files (x86)\Consumer Input\InternetExplorer, Quarantined, [2c8e3176503bb87e8efa09c6ff043bc5]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\chrome.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [aa10eabda8e3fc3af088913280837a86]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\explorer.xxx|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [46740b9cee9d6dc9f8801aa92ad9629e]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\firefox.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [4b6fddcae4a76bcbe791685b3bc83dc3]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\iexplore.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [42787b2c612a2610f187bd0631d226da]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_removal_tool.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [447686217b105fd7b7c1d7eca75c8080]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_reporter_tool.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [ad0d891e484315210c6ca41f59aaf60a]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32Ldr  |{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130932372148851201, Quarantined, [02b8abfc5a31e45224558d3606fd817f]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{5F66DA3E-738A-41C7-b2B4-70D771A4DD33}, C:\Program Files\shopperz261120150005\Firefox\{5F66DA3E-738A-41C7-b2B4-70D771A4DD33}.xpi, Quarantined, [764440673a51d3635ab3058224df47b9]
PUP.Optional.Groover.BrwsrFlsh, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{DE9495F1-E73B-4D0A-81D9-BC2CCF23CD71}, C:\Program Files\groover271120150045\Firefox\{DE9495F1-E73B-4D0A-81D9-BC2CCF23CD71}.xpi, Quarantined, [635780271a7167cf3a96daac768d8a76]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{50DAC1E6-5C20-4048-81BC-A2EEC9E3D673}, C:\Program Files\shopperz271120150030\Firefox\{50DAC1E6-5C20-4048-81BC-A2EEC9E3D673}.xpi, Quarantined, [a317d1d6cfbc0333a568a0e722e1bb45]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\MOZILLA\FIREFOX\EXTENSIONS|{28D1332A-E088-44B5-97EA-C061DD70D082}, C:\Program Files\shopperz271120150257\Firefox\{28D1332A-E088-44B5-97EA-C061DD70D082}.xpi, Quarantined, [a218f4b3d2b99d990b026e19867d4db3]
PUP.Optional.ConsumerInput, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{7D87094D-49E1-4C72-8C9E-3D937A119BE5}|AppPath, C:\Program Files (x86)\Consumer Input\InternetExplorer, Quarantined, [4a700a9df19a7eb8f8906f60669d8d73]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{5F66DA3E-738A-41C7-b2B4-70D771A4DD33}, C:\Program Files\shopperz261120150005\Firefox\{5F66DA3E-738A-41C7-b2B4-70D771A4DD33}.xpi, Quarantined, [2991b9eedfac50e6dc31008757ac9070]
PUP.Optional.Groover.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{DE9495F1-E73B-4D0A-81D9-BC2CCF23CD71}, C:\Program Files\groover271120150045\Firefox\{DE9495F1-E73B-4D0A-81D9-BC2CCF23CD71}.xpi, Quarantined, [c5f57433dcaf45f1943cbfc79d66c23e]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{50DAC1E6-5C20-4048-81BC-A2EEC9E3D673}, C:\Program Files\shopperz271120150030\Firefox\{50DAC1E6-5C20-4048-81BC-A2EEC9E3D673}.xpi, Quarantined, [82389512652650e67a93b6d1c63d39c7]
PUP.Optional.Shopperz.BrwsrFlsh, HKLM\SOFTWARE\WOW6432NODE\MOZILLA\FIREFOX\EXTENSIONS|{28D1332A-E088-44B5-97EA-C061DD70D082}, C:\Program Files\shopperz271120150257\Firefox\{28D1332A-E088-44B5-97EA-C061DD70D082}.xpi, Quarantined, [0bafcdda1576a393d538f097877ce61a]
PUP.Optional.BrowserAir, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SHAREDACCESS\PARAMETERS\FIREWALLPOLICY\FIREWALLRULES|{2EA1DDA1-C1D1-4C4F-8FFA-29090D868605}, v2.20|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=5353|App=C:\Users\tyler\AppData\Local\BrowserAir\Application\BrowserAir.exe|Name=BrowserAir (mDNS-In)|Desc=Inbound rule for BrowserAir to allow mDNS traffic.|EmbedCtxt=BrowserAir|, Quarantined, [e9d14265bad158de3959c040986c956b]
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\3DODO|path, C:\Users\tyler\AppData\Local\Birds365, Quarantined, [299111964942092de7e631d9f90b4cb4]
PUP.Optional.PCAcceleratePro, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\APTAB|hb, 1, Quarantined, [4f6b3b6c1e6ddb5bdbf8759509fb60a0]
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\ARAPONGA|Araponga, http://love.bengalflorican.com/birds247/installs.html, Quarantined, [64564760830895a1bb13ae5c60a4867a]
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\BIRDS|play, start, Quarantined, [1e9c7a2d5a3157dfebe4e129d82c1ce4]
PUP.Optional.PCAcceleratePro, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|PCAcceleratePro.exe, 8888, Quarantined, [8e2c5552236881b5ce56e12c758f54ac]
PUP.Optional.DeskBar, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION|DeskBar.exe, 8888, Quarantined, [3e7c41665d2e38fe6c776d9e9f65966a]
PUP.Optional.Birds, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Birds, C:\Users\tyler\AppData\Local\Birds\birds365.exe, Quarantined, [ceec5552b0db3afcc26302d3a162bf41]
Adware.NowUSeeIt, HKU\S-1-5-21-1163751298-4046332558-3257735069-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NowUSeeIt Player, "C:\Program Files (x86)\NowUSeeItPlayer\NowUSeeItPlayer.exe" /autostart=1, Quarantined, [b5055651fe8d2412946ad5271be836ca]

Registry Data: 0
(No malicious items detected)

Folders: 1
PUP.Optional.DownServe, C:\Program Files (x86)\Microsoft.NET\v2.0.507233, Quarantined, [b2086b3c4d3e5dd98d7f42c736cec13f],

Files: 3
PUP.Optional.FakeIELaunch, C:\Users\tyler\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet-Explorer Browser.lnk, Quarantined, [e4d60d9a256650e6d288d8fa49ba46ba],
PUP.Optional.DownServe, C:\Program Files (x86)\Microsoft.NET\v2.0.507233\corecfg.ini, Quarantined, [b2086b3c4d3e5dd98d7f42c736cec13f],
PUP.Optional.TaskRNDM, C:\Windows\SysWOW64\sc.bat, Quarantined, [0fab9116c8c3ac8a4868585e5ea624dc],

Physical Sectors: 0
(No malicious items detected)

(end)

[TwinHeadedEagle]

Very good. MalwareBytes removed only some non-active remnants. How is your PC behaving now?

[Grandma_T]

Seems to be fine so far.  Thank you so very much.  Are there any further steps to take?

[TwinHeadedEagle]

Since there are no more problems, we can declare this PC clean

Now, we can proceed with post-cleanup procedures. Let's remove my tools and create a new, non infected restore point concurrently deleting old ones.

Step 1. - Creation of system restore point and tools removal.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt). I don't need it for review.

Tool deletes old system restore points and creates a fresh system restore point after cleaning.

Step 2. - Tips and tricks to keep your computer clean, safe and in a good shape.

Security tips - highly recommended reading:

• Simple and easy ways to keep your computer safe and secure on the Internet

Maintenance tips:

• Optimize Windows for better performance

Additional software that I personally use and install on all my clients devices:

• Malwarebytes' Anti-Malware (paid version highly recommended) - to scan your system from time to time in search for malware.
• Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.
• McShield - to prevent infections spread by removable media.
• Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.
• Adblock - to surf the web without annoying ads!
• Qualys BrowserCheck - cloud service that scans your browsers and plugins to see if they’re all up-to-date.

My help is free for everybody.

If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:

Thank you!

Stay safe,

TwinHeadedEagle

[Grandma_T]

All Finished!!!... Many thanks for all your help...  We have been very pleased with your response time and knowledge... My Grandson is so excited to have his PC back!!!

 

I have sent you a small donation via PayPal....  Hopefully we can send a little more after the first of the year!!! 

 

Thank You Again!!! 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!