Jump to content

Recommended Posts

I can't get rid of Adware.elex malware. I aleady followed the removal suggestions in this related topic:

... but as soon as I restart Windows, the malware is back.

I'm attaching the log files from Malwarebytes and Rogue Killer. For some reason Farbar Recovery Scan Tool won't run on my laptop, not even after I disabled antivirus and anti-malware tools.

Any help would be much appreciated. Thanks!

MB.txt

RK.txt

Link to post
Share on other sites

  • Replies 52
  • Created
  • Last Reply

Top Posters In This Topic

Hello logo12 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Continue with the following:

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost | WANARE : (C:\Users\logo\AppData\Local\WANARE\Snare.dll) [-] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WANARE (C:\Users\logo\AppData\Local\WANARE\Snare.dll) -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{4DB47A16-354C-46D0-9FA2-629A6099DF13}C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe|Name=popcorn-time.exe|Desc=popcorn-time.exe|Defer=User| [x] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{7C95D467-9D7C-42AE-98A9-0989778AC831}C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe : v2.10|Action=Allow|Active=TRUE|r=In|Protocol=17|Profile=Private|App=C:\users\logo\appdata\local\popcorn-time\popcorn-time.exe|Name=popcorn-time.exe|Desc=popcorn-time.exe|Defer=User| [x] -> Found


Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[PUP.Gen1][File] C:\Users\logo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[Hj.Shortcut][File] C:\$RECYCLE.BIN\S-1-5-21-356737074-1852378437-2674757308-1001\$R2UGQZD.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe http://bigfarm.goodgamestudios.com/?w=239064 -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Popcorn Time -> Found


Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.
 
Next,
 

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.

Or from this Mirror
 
  • Double click on Adwcleaner.exe to run the tool
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download Sophos Free Virus Removal Tool and save it to your desktop.

If your security alerts to this scan either accept the alert or turn off your security to allow Sophos to run and complete.....

Please Do Not use your PC whilst the scan is in progress.... This scan is very thorough so may take several hours...
 
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
  • If no threats were found please confirm that result....



The Virus Removal Tool scans the following areas of your computer:
  • Memory, including system memory on 32-bit (x86) versions of Windows
  • The Windows registry
  • All local hard drives, fixed and removable
  • Mapped network drives are not scanned.



Note: If threats are found in the computer memory, the scan stops. This is because further scanning could enable the threat to spread. You will be asked to click Start Cleanup to remove the threats before continuing the scan.

Let me see those logs in your reply, also tell me if you have any remaining issues or concerns...

Thank you,

Kevin...

 

 

 

Link to post
Share on other sites

RogueKiller log does not show the following entries that were listed for removal, did you leave these out...?

Quote

Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[PUP.Gen1][File] C:\Users\logo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Popcorn Time.lnk [LNK@] C:\PROGRA~2\POPCOR~1\POPCOR~1.EXE -> Found
[PUP.Gen1][Folder] C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Popcorn Time -> Found
[Hj.Shortcut][File] C:\$RECYCLE.BIN\S-1-5-21-356737074-1852378437-2674757308-1001\$R2UGQZD.lnk [LNK@] C:\PROGRA~2\MOZILL~1\firefox.exe http://bigfarm.goodgamestudios.com/?w=239064 -> Found
[PUP.Gen1][Folder] C:\Program Files (x86)\Popcorn Time -> Found

What is happening with your PC, any remaining issues or concerns...

Link to post
Share on other sites

Hi Kevin,

These entries didn't show when I ran RK this time -- I'd probably deleted them after I ran RK before.

I just ran Malwarebytes again, and no threats were detected. So all seems fine for now.

I'll keep you posted in case adware.elex comes back over the next few days.

Please let me know if you have any further advice on how to stop it for good.

Thanks again!

Link to post
Share on other sites

Thanks for the update, continue with the following to clean up:

Uninstall Sophos AV http://www.askvg.com/how-to-completely-uninstall-remove-a-software-program-in-windows-without-using-3rd-party-software/

Next,

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

hello again, as it happened before malwares are back after a few days from removal (malwares removed; laptop stays clean for a few days; suddenly, threats start to be detected again).

I'm trying to stay as safe as I can when online. Actually, I haven't used this PC at all since last cleaning on Sun. This morning I ran rogue killer & malwarebytes before removing the cleaning tools, and a few threats were detected again (logs attached).

Any ideas on more advanced tools I could try? Thanks!

RK.txt

MB.txt

Link to post
Share on other sites

Did you install anything to do with Tencent....?

Run RogueKiller again and delete all found entries.  Post its log.

Run Malwarebytes again, make sure to quarantine all found entries...

Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Alternative download option: http://www.techspot.com/downloads/6731-farbar-recovery-scan-tool.html

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...

Be aware FRST must be run from an account with Administrator status...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach that log to your reply.

Post those logs in your reply.....

Thank you,

Kevin...

Link to post
Share on other sites

Thank you, Kevin. Nope, I haven't installed anything on the laptop (never heard of Tencent before). I've only been online this morning to update antimalwares databases.

I had already deleted the entries found by Rogue Killer. I've run it again and found new ones -- log attached + FRST logs.

No new detections by Malwarebytes.

RK.txt

Addition.txt

FRST.txt

Link to post
Share on other sites

Thanks for those logs, continue with the following:

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

Next,

Please download Zemana AntiMalware and save it to your Desktop.
 
  • Install the program and once the installation is complete it will start automatically.
  • Without changing any options, press Scan to begin.
  • After the short scan is finished, if threats are detected press Next to remove them.
    Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
     
  • Open Zemana AntiMalware again.
  • Click on user posted image icon and double click the latest report.
  • Now click File > Save As and choose your Desktop before pressing Save.
  • Attach saved report in your next message.

Let me see those logs in your reply..... Also let me know if there are any remaining issues or concerns...

Thank you,

Kevin

 

fixlist.txt

Link to post
Share on other sites

This is a right PITA for sure, we must be missing a well hidden dropper...

Right click on RogueKiller.exe and select "Run as Administrator" to start the tool, accept UAC..

In the new window the "Home" tab should already be selected, Change by selecting "Scan" tab, then select "Start Scan"

user posted image

When the scan completes Checkmark (tick) the following against Registry entries, ensure that all other entries are not Checkmarked

[Adw.Elex] (X64) HKEY_LOCAL_MACHINE\Software\InterSect Alliance -> Found
[PUP.OnlineIO] (X64) HKEY_LOCAL_MACHINE\Software\Microleaves -> Found
[PUP.UCBrowser|PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[Adw.FakeBro] (X86) HKEY_LOCAL_MACHINE\Software\Boxbob -> Found
[PUP.Ghokswa] (X86) HKEY_LOCAL_MACHINE\Software\Firefox -> Found
[PUP.OnlineIO] (X86) HKEY_LOCAL_MACHINE\Software\Microleaves -> Found
[PUP.UCBrowser|PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowser -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\UCBrowserPID -> Found
[PUP.Gen1] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564 -> Found
[PUP.Gen0] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\KzShlobj | (default) : {AAA0C5B8-933F-4200-93AD-B143D7FFF9F2} -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{2F37166D-05D6-4629-9D15-7986FEA8AFE0}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{F1498064-CA1A-487E-9B7A-5904C322B179}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{5954D41F-071E-4449-B339-983E49B688B9}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{19EA2853-B959-4525-AD83-E1F49843557A}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {1046166E-079C-404D-9228-E0BC9AAF387C} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {BF4EBAEA-27CA-4EA9-B774-BE5A76ABD927} : v2.25|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {61B07F92-9BDC-4E0A-AAE4-F95CF91DC2BF} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C5F7B803-9198-4B99-A1FC-512D5AAE3EB2} : v2.26|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\Program Files (x86)\Popcorn Time\Updater.exe|Name=Updater.exe| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{71BA7F4B-5A0D-4277-B9C4-B5A8B6A0E97C}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{45435A2A-A585-44F4-B9BD-9F745E02F74F}C:\program files (x86)\popcorn time\popcorntimedesktop.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\popcorn time\popcorntimedesktop.exe|Name=Popcorn Time|Desc=popcorntimedesktop|Edge=TRUE|Defer=App| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | TCP Query User{ACAE303E-B049-456B-89D2-71A7E92348B3}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Found
[PUP.Gen1] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | UDP Query User{FF800A58-8812-411B-94A7-45CB1DF2FD36}C:\program files (x86)\popcorn time\chromecast\node.exe : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Public|App=C:\program files (x86)\popcorn time\chromecast\node.exe|Name=node.exe|Desc=Evented I/O for V8 JavaScript|Defer=User| [x] -> Found
[PUP.Ghokswa] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {E9F4E88B-41BC-4EBA-A12C-E3A3FB72C4DE} : v2.26|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files (x86)\Firefox\Firefox.exe|Name=Firefox browser| [x] -> Found
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found
[PUP.UCBrowser] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{65122CB0-EA0F-47DF-A953-017170ED12F9} | StubPath : "C:\Program Files (x86)\UCBrowser\Application\6.1.2107.201\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --wow-install-target-path="C:\Program Files (x86)\UCBrowser" [x] -> Found


Checkmark (tick) the following against File entries, ensure that all other entries are not Checkmarked

[File.Forged|VT.Unknown][File] C:\Windows\ntbtlog.txt -> Found

Hit the Delete button, when complete select "Open Report" in the next window select "Export txt" the log will open. Save to your Desktop for reference, also attach to next reply.

Next,

Please download Gmer from Here by clicking on the "Download EXE" Button.
 
  • Double click on the randomly named GMER.exe. If asked to allow gmer.sys driver to load, please consent.
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    Sections
    IAT/EAT
    Show All
    ( should be unchecked by default )
     
  • Leave everything else as it is.
  • Close all other running Programs as well as your Browsers.
  • Click the Scan button & wait for it to finish.
  • Once done click on the Save.. button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop.



Please post the content of the ark.txt here.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

**If GMER crashes** Follow the instructions here and disable your security temporarily…

Post those logs in your next reply...

Thank you,

Kevin

Link to post
Share on other sites

Hi, here are the logs (RK: I had alerady deleted some of the entries you listed after an earlier scan).

I'm not sure GMER removed entries: there was no relevant option at the end of the scan, and the 'delete' option when I right-clicked on each entry wasn't active.

Anything I should do? Thanks!

RK.txt

ark.txt

Link to post
Share on other sites

hello again, just scanned my pc and found plenty of new threats ... RK, MB & ADW logs attached.
This time I also found two random game desktop shortcuts & Chrome browser icon on desktop that I certainly didn't install; nor have I installed any softwares/updates or opened suspicious attachments, links, etc. that might explain the shortcuts.
It appears all the tools I ran so far have been useless against this malware. Is there a way to get rid of it, or should I just do a clean install of Windows? Thank you!

RK.txt

MB.txt

AdwCleaner[C0].txt

Link to post
Share on other sites

Thanks for the reply/log... Continue with the following..

Make clean installs of Firefox and Chrome..

Make a "Clean" install Firefox:

Use the following link for instructions how to back up your bookmarks, same link can be used to import saved Bookmarks:

https://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

Next,

Remove all synced data from Firefox to stop possible re-infection or exploitation.

https://support.mozilla.org/t5/Sync-and-Save/How-do-I-set-up-Sync-on-my-computer/ta-p/21417

Next,

Go here: http://www.mozilla.org/en-US/ download save the latest version of Firefox.. We will install this later...

Next,

Lets totally remove Firefox and start over.

Go here: https://support.mozilla.org/en-US/kb/uninstall-firefox-from-your-computer and follow those instructions...

Ensure when the uninstall completes to navigate to and delete the firefox installation folder (if present):

(32-bit Windows) C:\Program Files\Mozilla Firefox
(64-bit Windows) C:\Program Files (x86)\Mozilla Firefox

It is essential the installation folder is removed. Re-boot your system when that is completed....

Next,

To remove all remaining data and profile information...

Press "Windows key + R" to open the Run box
In the Run box, type in or copy and paste %APPDATA%
Click OK. A Windows Explorer window will appear.
In this window, choose/open in succession Mozilla > Firefox > Profiles.
Select Delete on each entry in reverse, eg Profiles > Delete. Firefox > Delete. Mozilla > Delete.

Re-boot your system when complete!

Next,

Use the Mozilla Firefox installer to reinstall your Browser....

When Firefox is installed and open select these keys together :- Ctrl - Shift - A that will access Addons manger, this gives access to find addons/extensions, use, start, stop or disable those features etc....

Ensure to use search to find and install AdBlock plus, Flashblock and DrWeb Anti-Virus Link Checker plus any other addons you normally use.... Now try surfing, see what happens...

Next,

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome :

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

Next,

user posted imageEmsisoft Emergency Kit
  • Click Here to download Emsisoft Emergency Kit. The download will automatically start after a moment.
  • Save EmsisoftEmergencyKit.exe to your Desktop.
  • Double click on EmsisoftEmergencyKit.exe (Windows Vista/7/8/10 users: Accept UAC warning if it is enabled). A screen like this will appear:
    user posted image
     
  • Leave everything as it is, then click Extract. This will unpack Emsisoft Emergency Kit to the EEK folder located in the root drive (usually C:\).
  • Once the extraction is done, an icon will appear on your Desktop. Double click it to start Emsisoft Emergency Kit.
    user posted image
     
  • Wait for Emsisoft Emergency Kit to finish loading signatures. A screen like this should appear:
    user posted image
     
  • Choose Yes, then wait for EEK to finish updating.
  • Choose Malware Scan under the Scan button. When EEK asks to activate PUP detection, choose Yes.
  • Wait for the scan to finish.
    user posted image
     
  • If EEK detects something, all detected items will be displayed. Place a checkmark before everything, then choose Quarantine Selected.
  • If Emsisoft Emergency Kit asks to reboot, please do so immediately.
  • The scan log is located in Logs -> Scan Logs. Click on the entry of the latest scan, choose Export and save the report on your Desktop.
    user posted image
     
  • Please Copy and Paste the contents of the scan log in your next reply.


Let me see that log in your reply, also tell me if there are any remaining isues or concerns...

Thank you,

Kevin
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.