Jump to content

Cleaning infected computer

Recommended Posts



My name is Valinorum and I will be the acolyte today. Before we proceed, please, acknowledge yourself the following(s):

  • Please do not create any new threads on this while we are working on your system as it wastes another volunteer's time. If you are being helped/have solved the issue/no longer wish to continue, notify me in your reply and I will quickly close this thread. Failing to comply will result in denial of future assistance.
  • Please do not install any new software while we are working on this system as it may hinder our process.
  • Malware removal is a complicated process and so don't stop following the steps even if the symptoms are not found. Keep up with me until I declare you clean.
  • Please do not try to fix anything without being asked.
  • Please do not attach your logs or put them inside code/quote tags. Do a Copy/Paste of the entire contents of the log file and submit it inside your post unless directed otherwise.
  • Please print or save the instructions I give you for quick reference. We may be using Safe mode which will cut you off from the internet and you will not always be able to access this thread.
  • Back up your data. I will not knowingly suggest you any course that might damage your system but sometimes Malware infections are so severe that only option we have is to re-format and re-install the operating system.
  • If you are confused about any instruction, stop and ask. Do not keep on going.
  • Do not repeat the steps if you face any problems.
  • I am not an omniscient. There are things even I cannot foresee. But what I know took years to learn and perfect the skill. This site is run by volunteers who help people in need in their own free time. I would ask you to respect their time and be patient as sometimes real life demands our time and replies to you can be delayed.
  • Private Message(PM) if and only if I have not responded to your thread within three days or your query is offtopic and personal. Do not PM me under any other circumstances. Your thread is the only medium of communication.
  • The fixes are for your system only. Please refrain from using these fixes on another system as it may do serious damage.

  • Step #1 Fix with AdwCleaner
    • Download AdwCleaner to your Desktop from the following link.
    • Right-click on AdwCleaner.exe and choose Run as administrator;
    • Click on Tools>Option and put a tick mark as shown in the image below;
    • Click on Scan and let the program run unhindered;
    • When done, click on Clean and allow the system to reboot after it is done;
    • A log will be opened automatically after the restart. If not, it is located in C:\AdwCleaner\AdwCleaner[CX].txt, where X is replaced with a number;
    • Copy and Paste the contents of this log in your reply.

  • Step #2 ESET Online Scanner
    Disable your security programs which includes but not limited to anti-virus, anti-malware, anti-spyware et cetera. Peruse this for additional information. 
    • Download esetsmartinstaller_enu.exe by clicking here.
    • Right-click on the program and choose Run as administrator.
    • Accept their terms and condition and proceed.
    • Install Add-On/Active X if prompted.
    • From the Computer Scan Setting check the following box --
      • Enable detection for potentially unwanted programs
    • Click on Advanced Setting --
      • Check the box beside Remove Found Threats;
      • Check the box beside Scan archives
      • Check the box beside Scan for potentially unsafe applications
      • Check the box beside Enable Anti-Stealth Technology
    • Click on Start and wait for the virus signature database to update.
    • The online scan will begin automatically and can take several hours.
      • Note: Do not touch either the Mouse or keyboard during the scan. Otherwise it may stall.
    • After the Scan finishes --
      • If no threats were found:
        • Put a checkmark in Uninstall application on close.
        • Close the program and report that nothing was found
      • If threats were found:
        • Open the file located in C:\Program Files\ESET\ESET Online Scanner\log.txt (32-bit) or C:\Program Files (x86)\ESET\ESET Online Scanner\log.txt (64-bit).
        • Copy and Paste contents of the log file in your next reply.

    Note: Enable your security programs afterwards.

Link to post
Share on other sites

ADWcleaner log.  The other scan is still running right now and I will post that later.



# AdwCleaner - Logfile created on Fri Aug 18 19:07:31 2017
# Updated on 2017/05/08 by Malwarebytes 
# Running on Windows 7 Home Premium (X64)
# Mode: clean
# Support: https://www.malwarebytes.com/support

***** [ Services ] *****

Deleted: BeFrugal.com Service

***** [ Folders ] *****

Deleted: C:\Users\mzlindaniles\AppData\LocalLow\HPAppData
Deleted: C:\Users\mzlindaniles\AppData\Roaming\iWin
Deleted: C:\Users\mzlindaniles\AppData\LocalLow\Toolbar4
Deleted: C:\Users\mzlindaniles\AppData\Roaming\Yahoo!\Companion
Deleted: C:\ProgramData\apn
Deleted: C:\ProgramData\Application Data\apn
Deleted: C:\Users\All Users\apn
Deleted: C:\Users\mzlindaniles\AppData\LocalLow\Inbox Toolbar
Deleted: C:\Program Files (x86)\Crawler
Deleted: C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
Deleted: C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
Deleted: C:\ProgramData\{18165758-115C-4DC0-9EC2-FF89F725767F}
Deleted: C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
Deleted: C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
Deleted: C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
Deleted: C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
Deleted: C:\ProgramData\{93E26451-CD9A-43A5-A2FA-C42392EA4001}
Deleted: C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
Deleted: C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
Deleted: C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
Deleted: C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log

***** [ Files ] *****

Deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
Deleted: C:\Users\All Users\Desktop\eBay.lnk
Deleted: C:\Users\Public\Desktop\eBay.lnk

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks deleted.

***** [ Registry ] *****

Deleted: [Key] - HKLM\SOFTWARE\Yahoo\Companion
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{761F6A83-F007-49E4-8EAC-CDB6808EF06F}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{97D69524-BB57-4185-9C7F-5F05593B771A}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{2335A057-CBA6-40F6-A712-C6A7C98F7813}
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2335A057-CBA6-40F6-A712-C6A7C98F7813}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2335A057-CBA6-40F6-A712-C6A7C98F7813}
Deleted: [Key] - HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2335A057-CBA6-40F6-A712-C6A7C98F7813}
Deleted: [Key] - HKLM\SOFTWARE\Classes\Interface\{8233093C-178B-484B-979E-3C6B5B147DBC}
Deleted: [Key] - HKLM\SOFTWARE\Classes\TypeLib\{B722ED8B-0B38-408E-BB89-260C73BCF3D4}
Deleted: [Key] - HKLM\SOFTWARE\Classes\CLSID\{F51C15D4-3D0A-4DBA-A095-EBCC09F24DA2}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\{7D831388-D405-4272-9511-A07440AD2927}
Deleted: [Key] - HKLM\SOFTWARE\Classes\AppID\YMERemote.DLL
Deleted: [Key] - HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries deleted.

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries deleted.


::Tracing keys deleted
::Winsock settings cleared
::Image File Execution Options%s keys deleted
::Prefetch files deleted
::Proxy settings cleared
::TCP/IP settings cleared
::Firewall rules cleared
::IPSec settings cleared
::BITS queue cleared
::IE policies deleted
::Chrome policies deleted
::Additional Actions: 0


C:/AdwCleaner/AdwCleaner[S0].txt - [4371 B] - [2017/8/18 19:5:11]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt ##########

Link to post
Share on other sites



ESETSmartInstaller@High as downloader log:
Can not open internetESETSmartInstaller@High as downloader log:
Can not open internet# product=EOS
# version=8
# OnlineScannerApp.exe=
# EOSSerial=9284d11b8387234198d2394b47004d5a
# end=init
# utc_time=2017-08-18 07:18:06
# local_time=2017-08-18 02:18:06 (-0600, Central Daylight Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
Update Init
Update Download
Update Finalize
Updated modules version: 34446
# product=EOS
# version=8
# OnlineScannerApp.exe=
# EOSSerial=9284d11b8387234198d2394b47004d5a
# end=updated
# utc_time=2017-08-18 07:23:33
# local_time=2017-08-18 02:23:33 (-0600, Central Daylight Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
# product=EOS
# version=8
# OnlineScannerApp.exe=
# OnlineScanner.ocx=
# api_version=3.1.1
# EOSSerial=9284d11b8387234198d2394b47004d5a
# engine=34446
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2017-08-19 04:58:56
# local_time=2017-08-18 11:58:56 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='Norton Security *'
# compatibility_mode=3603 16777213 100 86 774782 2965560 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 66 85 128520110 254662186 0 0
# scanned=419494
# found=5
# cleaned=5
# scan_time=34522
sh=325E731D317FB0D81FE28FD4545062D09C7589E3 ft=1 fh=60deeae98ff4a745 vn="a variant of Win32/AdInstaller potentially unwanted application (cleaned by deleting)" ac=C fn="C:\Users\mzlindaniles\Documents\Dictionary\DictionaryBoss.exe"
sh=3B6118F8F80E489613A7DA50479B702DEBB39804 ft=1 fh=778c92552a6808c4 vn="a variant of Win32/Adware.Coupons.AA application (cleaned by deleting)" ac=C fn="C:\Users\mzlindaniles\Downloads\CouponPrinter.exe"
sh=5824B8D927C533484F6499CF201F9AFFE8F21E1F ft=1 fh=1d005e947f2a5474 vn="a variant of Win32/Adware.Coupons.AA application (cleaned by deleting)" ac=C fn="C:\Users\mzlindaniles\Downloads\CouponPrinterCPS.exe"
sh=EA0EE3C9B4FB6B2B00B0074C1F5303291FF081B9 ft=1 fh=e40dd9938df1a373 vn="a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application (cleaned by deleting)" ac=C fn="C:\Windows\Installer\MSI48B4.tmp"
sh=D65FE023EE548A502ECD63616B9C3FDE31214469 ft=1 fh=15c731add8118119 vn="a variant of Win32/Bundled.Toolbar.Ask.M potentially unsafe application (cleaned by deleting)" ac=C fn="C:\Windows\Installer\MSIDE97.tmp"

Link to post
Share on other sites

It's not that it had multiple svchost.  It was using > 90% of the cpu.  I was able to update the Windows update agent, and then ran the readiness tool which took all night but it repaired a lot of stuff.  Windows Updates then ran and now cpu is sitting at 1% usage when idle.  I think we might be clean.  Here are the logs.



Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.