Jump to content

Satchfan

Trusted Malware Techs
  • Content Count

    178
  • Joined

  • Last visited

Everything posted by Satchfan

  1. Hi Kristina It has been a few days since I asked if there were any remaining problems. Please let me know if there are any. If I do not hear from you within 24 hours I'll assume that all is now OK and close this topic. Satchfan
  2. That looks good. Please go to your downloads folder and delete the file in red: C:\Users\Kristina\Downloads\couponprinter.exe Are you happy that your computer is OK now? If so, I’ll send instructions to tidy up.
  3. That message is related to MS Office - not malware. We'll run a final scan to be sure your computer is clean. Run ESET Online Scan Note: This may take a long time so please be patient. IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable. Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan click the Run Eset online Scanner button for alternate browsers only: (Microsoft Internet Explorer users can skip these steps) o click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop. o double click on the Eset installer icon on your desktop. check Yes, I accept the Terms of Use click the Start button accept any security warnings from your browser check Enable detection of potentially unwanted applications click Advanced settings and select the following: o scan archives o scan for potentially unsafe applications o enable Anti-Stealth technology Note: Do not check Remove found threats ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. when the scan completes, push List of found threats push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Note - if ESET doesn't find any threats, no report will be created. push the back button. push Finish When the scan is complete: If no threats were found: o put a checkmark in "Uninstall application on close" o close program o report to me that nothing was found. If threats were found: o click on "list of threats found" o click on "export to text file" and save it as ESET results and save to the desktop o click on back o put a checkmark in "Uninstall application on close" o click on finish o close program o copy and paste the report here Satchfan
  4. That’s not too bad and I see no Firefox problem but we’ll clear up what was found. Uninstall programs Uninstall these programs: CouponBridge CouponPrinterPlugin click Start, Control Panel, Programs and Features click on CouponBridge and then Uninstall repeat this for the other program listed above. ================================================ Run Farbar Recovery Scan Tool Open notepad. Please copy the contents of the code box below and paste it into Notepad. Manager\HPCMDelayStart.exe [103992 2011-05-23] (Hewlett-Packard Development Company L.P.) HKLM-x32\...\Run: [] => [X] HKLM\...\Policies\Explorer: [EnableShellExecuteHooks] 1 SearchScopes: HKLM -> {2726EAAE-E2F9-413D-9BB8-BD280A0E30FC} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms} SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms} SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms} SearchScopes: HKU\S-1-5-21-1203233110-3124362348-787559586-1002 -> {5850D516-A214-46CF-9401-AE7DE20F77B2} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default SearchScopes: HKU\S-1-5-21-1203233110-3124362348-787559586-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms} BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File Toolbar: HKU\.DEFAULT -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File Toolbar: HKU\S-1-5-21-1203233110-3124362348-787559586-1002 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File DPF: HKLM-x32 {7530BFB8-7293-4D34-9923-61A11451AFC5} hxxp://download.eset.com/special/eos/OnlineScanner.cab Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File FF Extension: No Name - C:\Users\Kristina\AppData\Roaming\Mozilla\Firefox\Profiles\uhoxnpbr.default\extensions\[email protected] [not found] 2016-04-21 08:08 - 2016-04-21 08:09 - 00418302 _____ C:\Users\Kristina\Documents\cc_20160421_080835.reg C:\Users\Kristina\AppData\Local\Temp\libeay32.dll C:\Users\Kristina\AppData\Local\Temp\msvcr120.dll CMD: bitsadmin /reset /allusers EmptyTemp: NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work run FRST64 then click Fix just once and wait it will create a log on your desktop, (Fixlog.txt); please post it to your reply. ================================================ Run Malwarebytes’ Anti-Malware I noticed that you had MBAM on your system: if you no longer have it, you can download it from here: start Malwarebytes-Anti-Malware and update it, (“Update” tab} once it is updated, click on “Scan” tab, select Threat Scan, then click Scan. when the scan is complete, if no malicious items are found you can close the program if malicious items are found be sure that everything is checked and click Quarantine when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) the log is automatically saved and can be viewed by clicking the Logs tab in MBAM. copy and paste the contents of that report in your next reply and exit MBAM. NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Logs to include with the next post: Fixlog.txt Mbam.txt Can you tell me if there are any outstanding problems. Satchfan
  5. Thank you for the new logs which are what i needed. I've just got home I'm afraid and as it's nearly midnight here, I won't reply until the morning, (GMT). Nina
  6. Thank you for the logs but Farbar Recovery Scan Tool, (FRST), is incomplete. I need the full FRST.txt and Addition.txt. Thanks
  7. Hello kristina and welcome to the The Pit. My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier: please follow all instructions in the order posted please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked if you don't understand something, please don't hesitate to ask for clarification before proceeding the fixes are specific to your problem and should only be used for this issue on this machine. please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed! IMPORTANT: Please DO NOT install/uninstall any programs unless asked to. Please DO NOT run any scans other than those requested I don't understand why you let a "cable guy" touch your laptop or even why he should want to, but we'll take a look and see if we can find out what's going on. =================================================== Note: Please run these in the order given in the instructions. =================================================== Download and run AdwCleaner Download AdwCleaner from here and save it to your desktop. run AdwCleaner when it has finished, select Clean if it asks to reboot, allow the reboot on reboot a log will be produced; please attach the content of the log to your next reply. =================================================== Download and run Junkware Removal Tool Please download Junkware Removal Tool to your desktop. shut down your protection software now to avoid potential conflicts. run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system please be patient as this can take a while to complete depending on your system's specifications on completion, a log (JRT.txt) is saved to your desktop and will automatically open post the contents of JRT.txt into your next message. =================================================== Run Farbar Recovery Scan Tool Please download Farbar Recovery Scan Tool and save it to your Desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. press Scan button it will produce a log called Frst.txt in the same directory the tool is run from please copy and paste log back here. the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply. Logs to include with next post: AdwCleaner log JRT.txt Frst.txt Addition.txt Thanks Satchfan
  8. Since this issue appears to be resolved, this topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic re-opened, please contact a staff member with the address of the thread.
  9. Your computer appears to be clean. Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again: Uninstall AdwCleaner double click on adwcleaner.exe to run the tool click on Uninstall confirm with Yes. =================================================== Download & run Delfix download Delfix from here to remove many of the tools we've used during the cleaning process. ensure “Remove disinfection tools” is checked. Also place a checkmark next to: o Create registry backup o Purge system restore click the Run button.You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete. =================================================== Recommended programs SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer. ====================== Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly. ====================== It’s important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. ====================== Download WOT Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites: green if it's safe yellow for caution red for unsafe You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go! ====================== MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. A couple of links with information here and here which can answer any questions you might have about installing/using it. ====================== Unchecky Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs. Download and install Unchecky . ====================== Download and install CryptoPrevent Crypto Ransomware Warning There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here. download CryptoPrevent save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking. accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to click OK to continue and select your protection level. Go ahead and click OK. click the Apply button to set Default protection you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes. You are now protected. Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available. ====================== I also recommend that you read the following: Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic. Safe computing Satchfan
  10. Hi auntiem It has been a few days since I asked you to run the Malwarebytes scan. Please send the results so that we can be sure all is clear and then I'll send instructions to tidy up the tools we've used. Thanks Satchfan
  11. I would like one more scan with a program that everyone should have on their computer and if that’s clear I’ll send instructions to tidy up. Download Malwarebytes-Anti-Malware Click here. double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7 users, please right-click and select “Run as Administrator”) select the “Scan” tab at the top there are three scan types; choose Threat Scan, then click on Scan when the scan is complete, if no malicious items are found you can close the program if malicious items are found be sure that everything is checked and click Quarantine when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below) the log is automatically saved and can be viewed by clicking the Logs tab in MBAM. copy and paste the contents of that report in your next reply and exit MBAM. NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware. Satchfan
  12. Having just re-read your post I realise that I misread your problem with the instructions; so, to clarify: open Notepad by holding down Windows key+R and in the dialogue box that appears type in “Notepad” when Notepad opens, copy/paste the following into it: ShortcutWithArgument: C:\Users\Evelyn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Wow HomePage.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://us.wow.com/?ncid=txtlnkusaolc00000290&s_pt=source9&s_chn=100&s_chn2=zytDyE0C0EyDtB0ByCyEtB0BtB0EzzyC2RtBtDtCyDtCtBtCyBtBtByEzytAtBtBzyyD EmptyTemp: save it as fixlist.txt and save it to your desktop, (the same location as FRST) open FRST64, then click Fix just once and wait it will create a log on your desktop, (Fixlog.txt); please post it to your reply. Satchfan
  13. You have followed what I asked you to do perfectly. The only thing was, that when you copied/pasted the FRST log into your post, for some reason it was only a part of it that was posted. No problem. Please run Zoek and when I see the result I'll reply. Satchfan
  14. Happy New Year!!! Your FRST.txt was incomplete and I’d like the rest of it but from what I have seen, there’s not too much of a problem so we’ll clear up was was in your log and then I’d like another look. =================================================== Run Farbar Recovery Scan Tool Open notepad. Please copy the contents of the code box below and paste it into Notepad. ShortcutWithArgument: C:\Users\Evelyn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Wow HomePage.lnk -> C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation) -> hxxp://us.wow.com/?ncid=txtlnkusaolc00000290&s_pt=source9&s_chn=100&s_chn2=zytDyE0C0EyDtB0ByCyEtB0BtB0EzzyC2RtBtDtCyDtCtBtCyBtBtByEzytAtBtBzyyD EmptyTemp: NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work run FRST64 then click Fix just once and wait it will create a log on your desktop, (Fixlog.txt); please post it to your reply. =================================================== Download zoek.exe to your Desktop: Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here. on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator give it a few seconds to appear copy/paste the entire script inside the codebox below into the input field of Zoek: createsrpoint; autoclean; emptyalltemp; ipconfig /flushdns;b close any open programs. click the Run script button, and wait. It takes a few minutes to run. when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\ if a reboot is needed, the log will be opened after the reboot. Logs to include with next post: Fixlog.txt zoek-results.log Complete FRST.txt Thanks Satchfan
  15. Hello auntiem and welcome to the The Pit. My name is Satchfan and I would be glad to help you with your computer problem. Please read the following guidelines which will help to make cleaning your machine easier: please follow all instructions in the order posted please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked if you don't understand something, please don't hesitate to ask for clarification before proceeding the fixes are specific to your problem and should only be used for this issue on this machine. please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed! IMPORTANT: Please DO NOT install/uninstall any programs unless asked to. Please DO NOT run any scans other than those requested =================================================== The scans that caintry_boy got you to run got rid of some stuff but we need to run a scan that will give me more details of what the current situation is. Run Farbar Recovery Scan Tool Please download Farbar Recovery Scan Tool and save it to your Desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. press Scan button it will produce a log called Frst.txt in the same directory the tool is run from please copy and paste log back here. the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply. Logs to include with next post: Frst.txt Addition.txt Thanks Satchfan
  16. Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
  17. We are aware of everything that "they" are doing because our colleagues, (who are have more expertise than they do), are aware of what they are doing and keep us informed. You're welcome. Take care and get in touch if there are any more problems. Satchfan
  18. I'll leave this open for 48 hours and if I hear nothing I'll assume that all is OK and close the topic accordingly. If you do reply, please include the two logs I asked for. Thanks Satchfan.
  19. I haven’t had a chance to see the completed logs that I asked for so I’m sending a response on what I found based on your first logs alone so we'll deal with that and take it from there. Run Farbar Recovery Scan Tool Open notepad. Please copy the contents of the code box below and paste it into Notepad. GroupPolicy: Restriction - Chrome <======= ATTENTION CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION FF Extension: See More Results Hub - C:\Users\Daddyo\AppData\Roaming\Mozilla\Firefox\Profiles\yrt2b1iq.default\Extensions\{d42b7947-1802-4bcd-8ade-959e9e235b61}.xpi [2015-11-20] [not signed] U3 idsvc; no ImagePath S3 wfpcapture; \SystemRoot\System32\drivers\wfpcapture.sys [X] U3 wpcsvc; no ImagePath 2015-11-23 23:08 - 2015-11-23 23:08 - 00000000 _____ C:\WINDOWS\SysWOW64\SBRC.dat 2015-11-23 20:30 - 2015-11-23 20:33 - 00000000 ____D C:\Users\Daddyo\AppData\Local\NPE 2015-11-23 20:30 - 2015-11-23 20:30 - 03088296 _____ (Symantec Corporation) C:\Users\Daddyo\Downloads\NPE.exe 2015-11-23 20:30 - 2015-11-23 20:30 - 00000000 ____D C:\ProgramData\Norton 2015-11-21 13:55 - 2015-11-21 13:55 - 00000000 ____D C:\ProgramData\BitDefender 2015-11-21 13:39 - 2015-11-24 09:55 - 00000000 ____D C:\Users\Daddyo\AppData\Roaming\Lavasoft 2015-11-21 13:39 - 2015-11-24 09:55 - 00000000 ____D C:\Program Files (x86)\Lavasoft 2015-11-21 13:39 - 2015-11-21 13:39 - 00000000 ____D C:\Users\Daddyo\AppData\Roaming\LavasoftStatistics 2015-11-21 13:38 - 2015-11-23 20:20 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lavasoft 2015-11-21 13:33 - 2015-11-21 13:33 - 00000000 ____D C:\Program Files\Lavasoft 2015-11-21 13:28 - 2015-11-21 13:28 - 00000000 ____D C:\Program Files\Common Files\Lavasoft 2015-11-21 13:26 - 2015-11-24 09:55 - 00000000 ____D C:\ProgramData\Lavasoft 2015-11-20 12:27 - 2014-04-15 12:02 - 00082872 _____ (GFI Software) C:\WINDOWS\system32\Drivers\sbapifs.sys CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File CustomCLSID: HKU\S-1-5-21-3634687137-1423883221-2431650080-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Daddyo\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File Task: {1146E0A1-B537-4FE9-B94E-979440F8FA1B} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION Task: {1A361726-B3FE-4C9E-8920-116D8005F7CB} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION Task: {28A09C77-2D3B-4F74-A20F-09D3B1C6B422} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION Task: {39507AF1-5F00-4FB2-AAA9-3FFA9D62BA57} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION Task: {4340A9DA-FA88-441B-B12A-ACA4E1947E05} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION Task: {49820782-6C6B-49EE-8DDE-CC7D94541E0B} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION Task: {59481762-6D07-46E6-BDAF-235450FF0038} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION Task: {62C6661A-CF88-415C-9258-D64CE092CD17} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION Task: {8E226A0F-EB28-4D50-AD4B-F9CB5F829531} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION Task: {9627577C-8E50-43BA-BAE5-70CF8076A011} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION Task: {DF738F78-E402-4746-AB28-ED67924F9166} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION ShortcutWithArgument: C:\Users\Daddyo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk -> C:\Program Files (x86)\Google\Chrome\Application\chrome.exe (Google Inc.) -> "hxxp://esurf.biz/?ssid=1448049587&a=1024132" <==== ATTENTION ShortcutWithArgument: C:\Users\Daddyo\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk -> C:\Program Files (x86)\Internet Explorer\iexplore.exe (Microsoft Corporation) -> "hxxp://esurf.biz/?ssid=1448049587&a=1024132" <==== ATTENTION FirewallRules: [{F639AB08-1FB2-4B6B-B8B8-3C49CADEDFBD}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe FirewallRules: [{A4645B2E-891F-44F5-BE05-574D0AA052DB}] => (Allow) C:\Program Files (x86)\AVG\AVG2014\avgmfapx.exe C:\Program Files (x86)\AVG EmptyTemp: NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work run FRST64 then click Fix just once and wait it will create a log (Fixlog.txt); please post it to your reply. =================================================== Run CKScanner Download CKScanner by askey127 from here & save it to your Desktop. double-click CKScanner.exe then click Search For Files when the cursor hourglass disappears, click Save List To File a message box will verify the file saved double-click the CKFiles.txt icon on your desktop then copy/paste the contents in your next reply. Logs to include with next post: Fixlog.txt CKFiles.txt Thanks Satchfan
  20. Thanks for the logs and that seems to have cleared up a lot. However, your FRST logs, (FRST.txt and Addition.txt), were incomplete: please resend them and make sure that you include the complete logs. Thanks Satchfan
  21. Hello Ron Smorynski and welcome to the The Pit. My name is Satchfan and I would be glad to help you with your computer problem. It’s possible that you have temporarily solved the hijack problem but unlikely that you’ve rid your computer of all bad components completely so, let’s run some scans and have a look. Please read the following guidelines which will help to make cleaning your machine easier: please follow all instructions in the order posted please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked if you don't understand something, please don't hesitate to ask for clarification before proceeding the fixes are specific to your problem and should only be used for this issue on this machine. please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed! IMPORTANT: Please DO NOT install/uninstall any programs unless asked to. Please DO NOT run any scans other than those requested =================================================== Note: Please run these in the order given in the instructions. =================================================== Download and run AdwCleaner Download AdwCleaner from here and save it to your desktop. run AdwCleaner when it has finished, select Clean if it asks to reboot, allow the reboot on reboot a log will be produced; please attach the content of the log to your next reply. =================================================== Download and run Junkware Removal Tool Please download Junkware Removal Tool to your desktop. shut down your protection software now to avoid potential conflicts. run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator" the tool will open and start scanning your system please be patient as this can take a while to complete depending on your system's specifications on completion, a log (JRT.txt) is saved to your desktop and will automatically open post the contents of JRT.txt into your next message. =================================================== Run Farbar Recovery Scan Tool Please download Farbar Recovery Scan Tool and save it to your Desktop. Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. press Scan button it will produce a log called Frst.txt in the same directory the tool is run from please copy and paste log back here. the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply. Logs to include with next post: AdwCleaner log JRT.txt Frst.txt Addition.txt Thanks Satchfan
  22. You’re welcome. Your computer appears to be clean. Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again: Uninstall OTL double-click OTL.exe click the CleanUp! button. select Yes when the Begin cleanup Process? prompt appears. if you are prompted to reboot during the cleanup, select Yes. the tool will delete itself once it finishes, if not delete it by yourself. NOTE: If you receive a warning from your firewall or other security programs regarding OTL attempting to contact the internet, please allow it to do so. =================================================== Uninstall AdwCleaner double click on adwcleaner.exe to run the tool click on Uninstall confirm with Yes. You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete. =================================================== Create a Restore Point click on Start > Control Panel (All Control Panel Items) click on System > System Protection check that you have System Protection turned on for the drive that you want to create a restore point for, (usually C: click Create type in a description for the restore point to help recognize it when doing a System Restore, and click on the Create button. Remove old restore points open Disk Cleanup by clicking Start. In the search box, type Disk Cleanup, and then, in the list of results, click Disk Cleanup. if prompted, select the drive that you want to clean up, and then click OK. in the Disk Cleanup for (drive letter) dialog box, click Clean up system files. If you're prompted for an administrator password or confirmation, type the password or provide confirmation if prompted, select the drive that you want to clean up, and then click OK click the More Options tab, then under System Restore and Shadow Copies, click Clean up in the Disk Cleanup dialog box, click Delete click Delete Files, and then click OK. =================================================== You have an old version of Flash on your computer which is vulnerable to infections. from the Start menu, select Control Panel in Large or Small icon view, click Programs and Features. If you're using Category view, under "Programs", click Uninstall a program select any versions of Flash then click Uninstall. Install the latest version: Flash =================================================== Recommended programs SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer. =================================================== Re-enable Spybot - Search and Destroy’s TeaTimer open Spybot Search & Destroy go to the Mode menu and make sure Advanced Mode is selected choose Yes at the Warning prompt expand the “Tools” menu click Resident check the Resident TeaTimer (Protection of overall system settings) active. box in the File menu click Exit to exit Spybot Search & Destroy if Teatimer gives you a warning that changes were made, click Allow Change when prompted.exit Spybot S&D. Remember to scan your computer with the program on a regular basis as you would with your anti-virus software. =================================================== Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly. =================================================== It’s important to keep programs up to date so that malware doesn't exploit any old security flaws. FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated. =================================================== MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future. A couple of links with information here and here which can answer any questions you might have about installing/using it. =================================================== I also recommend that you read the following: How to prevent malware by miekiemoes Help! My computer is slow! by miekiemoes Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic. Safe computing Satchfan
  23. Hi Mugen It has been several days since I asked you to run an Eset scan. Please let me know the result and we can then tidy up Thanks Satchfan
  24. I'm glad things are better and you are welcome for the help. One more scan and if that's OK we can tidy up. Run ESET Online Scan IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable. Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here. Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan click the Eset online Scanner button for alternate browsers only: (Microsoft Internet Explorer users can skip these steps) o click on esetinstaller.exe to download the ESET Smart Installer. Save it to your desktop. o double click on the Eset installer icon on your desktop. check Yes, I accept the Terms of Use click the Start button accept any security warnings from your browser check Scan archives and Remove found threats click Advanced settings and select the following: o Scan potentially unwanted applications o Scan for potentially unsafe applications o Enable Anti-Stealth technology ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. when the scan completes, push List of found threats push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. Note - if ESET doesn't find any threats, no report will be created. push the back button. push Finish When the scan is complete: If no threats were found: o put a checkmark in "Uninstall application on close" o close program o report to me that nothing was found If threats were found: o click on "list of threats found" o click on "export to text file" and save it as ESET results and save to the desktop o Click on back o put a checkmark in "Uninstall application on close" o click on finish o close program o copy and paste the report here. Thanks Satchfan
×
×
  • Create New...