Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Munbnkcbvkg.exe running as Google Chrome


  • This topic is locked This topic is locked
7 replies to this topic

#1 GarySS

GarySS

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 03 February 2015 - 06:26 PM

This file Munbnkcbvkg.exe is running as chrome yet I do not have chrome installed. Its taking lots of memory and I found you fixed another on this site. I have download the FRST tool and ran it and have the attached files you requested. Any help would be appreciated. Thanks in advance.

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:45 PM

Posted 03 February 2015 - 11:25 PM

Hello GarySS,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

 

 

1.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Attached File  fixlist.txt   11.86KB   1 downloads

 

 

2.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

3.

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 GarySS

GarySS
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 04 February 2015 - 12:11 AM

The file is gone now.....below is the fixlog and now I will do steps 2 and 3.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 01-02-2015
Ran by Gary at 2015-02-03 22:56:19 Run:1
Running from C:\Users\Gary\Desktop
Loaded Profiles: Gary (Available profiles: Gary)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\...\Run: [Abmbbzq] => regsvr32.exe /s "C:\Users\Gary\AppData\Local\{4F0759B8-3D3C-4015-BDD6-8E6FB903B119}\Abmbbzq.dll" <===== ATTENTION
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\...\Run: [RebateInformer] => C:\Program Files (x86)\RebateInformer\RebateInf.exe [2672512 2014-11-21] (Valion Group)
C:\Users\Gary\AppData\Local\{4F0759B8-3D3C-4015-BDD6-8E6FB903B119}
URLSearchHook: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 - (No Name) - {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No File
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {9c3db922-a828-40ad-a112-66dd0f5537f0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XWxdm003YYus&ptnrS=XWxdm003YYus&ptb=0CB9535F-08B2-4BEC-A739-1B38DCDAF764&psa=&ind=2012082221&st=sb&n=77edf02d&searchfor={searchTerms}
SearchScopes: HKLM-x32 -> {cca2e567-1987-4100-a3c6-5b4267084510} URL = http://s.results.ask.com/search/GGmain.jhtml?p2=^YK^xdm002^S03853^us&si=COrf94jUvrQCFY1DMgodVDcAYw&ptb=818F3C40-D128-4EF8-92BF-FA871E8B89DE&psa=&ind=2012122822&st=sb&n=77ee8ec6&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {9c3db922-a828-40ad-a112-66dd0f5537f0} URL = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=XWxdm003YYus&ptnrS=XWxdm003YYus&ptb=0CB9535F-08B2-4BEC-A739-1B38DCDAF764&psa=&ind=2012082221&st=sb&n=77edf02d&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {A531D99C-5A22-449b-83DA-872725C6D0ED} URL = http://search.alot.com/web?q={searchTerms}&pr=prov&client_id=49DEF92001CDC790155FD0C6&install_time=2012-11-21T02:31:19Z&src_id=30734&camp_id=4616&tb_version=1.3.0001.0(B)
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {C04B7D22-5AEC-4561-8F49-27F6269208F6} URL = http://www2.inbox.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=80915&lng=en
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {CBA69680-4994-41C1-9A08-38E904BD449F} URL = http://search.conduit.com/Results.aspx?&ctid=CT3283894&SearchSource=45?&q={searchTerms}
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {cca2e567-1987-4100-a3c6-5b4267084510} URL = http://s.results.ask.com/search/GGmain.jhtml?p2=^YK^xdm002^S03853^us&si=COrf94jUvrQCFY1DMgodVDcAYw&ptb=818F3C40-D128-4EF8-92BF-FA871E8B89DE&psa=&ind=2012122822&st=sb&n=77ee8ec6&searchfor={searchTerms}
SearchScopes: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> {{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} URL = http://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7TSNO
BHO-x32: Toolbar BHO -> {ab56dfde-0c14-45b3-9df6-7b0eba617870} -> C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
BHO-x32: No Name -> {CCB69577-088B-4004-9ED8-FF5BCC83A039} -> C:\Program Files (x86)\RebateInformer\RebateI.dll (Valion Group)
BHO-x32: Search Assistant BHO -> {df22384f-cf68-4d19-969f-10423715528b} -> C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14SrcAs.dll (MindSpark)
Toolbar: HKLM-x32 - TotalRecipeSearch - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
Toolbar: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Toolbar: HKU\S-1-5-21-2448695844-2399511112-415270793-1000 -> No Name - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} -  No File
Handler: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\Program Files (x86)\RebateInformer\RebInf64.dll (Valion Group)
Handler-x32: rebinfo - {AF808758-C780-404C-A4EE-4526323FD9B6} - C:\Program Files (x86)\RebateInformer\RebateI.dll (Valion Group)
FF Plugin-x32: @ei.CouponAlert_2p.com/Plugin -> C:\Program Files (x86)\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll (CouponAlert)
FF Plugin-x32: @TotalRecipeSearch_14.com/Plugin -> C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll (MindSpark)
FF HKLM-x32\...\Firefox\Extensions: [14ffxtbr@TotalRecipeSearch_14.com] - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin
FF Extension: TotalRecipeSearch - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin [2012-12-28]
CHR Extension: (RebateInformer) - C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbbfaealmlpnodchplhdomkgpdkeeal [2013-01-28]
CHR HKLM-x32\...\Chrome\Extension: [odbbfaealmlpnodchplhdomkgpdkeeal] - C:\Program Files (x86)\RebateInformer\Chrome\rebateinformer_c.crx [2013-01-10]
R2 TotalRecipeSearch_14Service; C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14barsvc.exe [42504 2012-12-28] (COMPANYVERS_NAME)
C:\Program Files (x86)\TotalRecipeSearch_14
S3 L1C; system32\DRIVERS\L1C62x64.sys [X]
S1 MpKsl42d64876; \??\c:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E2D6D20B-C460-4B0F-9034-4F40ABE7AED9}\MpKsl42d64876.sys [X]
CustomCLSID: HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6}\InprocServer32 -> C:\Program Files (x86)\RebateInformer\RebInf64.dll (Valion Group)
CustomCLSID: HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{D4AB823B-3EBC-477B-AA5B-D7061C9E83B0}\InprocServer32 -> C:\Program Files (x86)\RebateInformer\RebInf64.dll (Valion Group)
emptytemp:

*****************

HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Abmbbzq => value deleted successfully.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key Deleted Successfully.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Windows\CurrentVersion\Run\\RebateInformer => value deleted successfully.
C:\Users\Gary\AppData\Local\{4F0759B8-3D3C-4015-BDD6-8E6FB903B119} => Moved successfully.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\\{D3D233D5-9F6D-436C-B6C7-E63F77503B30} => value deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9c3db922-a828-40ad-a112-66dd0f5537f0}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{9c3db922-a828-40ad-a112-66dd0f5537f0} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{cca2e567-1987-4100-a3c6-5b4267084510} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9c3db922-a828-40ad-a112-66dd0f5537f0}" => Key deleted successfully.
HKCR\CLSID\{9c3db922-a828-40ad-a112-66dd0f5537f0} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{A531D99C-5A22-449b-83DA-872725C6D0ED}" => Key deleted successfully.
HKCR\CLSID\{A531D99C-5A22-449b-83DA-872725C6D0ED} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}" => Key deleted successfully.
HKCR\CLSID\{C04B7D22-5AEC-4561-8F49-27F6269208F6} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CBA69680-4994-41C1-9A08-38E904BD449F}" => Key deleted successfully.
HKCR\CLSID\{CBA69680-4994-41C1-9A08-38E904BD449F} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{cca2e567-1987-4100-a3c6-5b4267084510}" => Key deleted successfully.
HKCR\CLSID\{cca2e567-1987-4100-a3c6-5b4267084510} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}}" => Key deleted successfully.
HKCR\CLSID\{{67A2568C-7A0A-4EED-AECC-B5405DE63B64}} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab56dfde-0c14-45b3-9df6-7b0eba617870}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{ab56dfde-0c14-45b3-9df6-7b0eba617870}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB69577-088B-4004-9ED8-FF5BCC83A039}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{CCB69577-088B-4004-9ED8-FF5BCC83A039}" => Key deleted successfully.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{df22384f-cf68-4d19-969f-10423715528b}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{df22384f-cf68-4d19-969f-10423715528b}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{a0154e07-2b48-475c-a82a-80efd84ea33e} => value deleted successfully.
"HKCR\Wow6432Node\CLSID\{a0154e07-2b48-475c-a82a-80efd84ea33e}" => Key deleted successfully.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => value deleted successfully.
HKCR\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} => Key not found.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => value deleted successfully.
HKCR\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8} => Key not found.
"HKCR\PROTOCOLS\Handler\rebinfo" => Key deleted successfully.
"HKCR\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6}" => Key deleted successfully.
HKCR\Wow6432Node\PROTOCOLS\Handler\rebinfo => Key not found.
"HKCR\Wow6432Node\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6}" => Key deleted successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@ei.CouponAlert_2p.com/Plugin" => Key deleted successfully.
C:\Program Files (x86)\CouponAlert_2pEI\Installr\1.bin\NP2pEISB.dll => Moved successfully.
"HKLM\Software\Wow6432Node\MozillaPlugins\@TotalRecipeSearch_14.com/Plugin" => Key deleted successfully.
C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\NP14Stub.dll => Moved successfully.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\14ffxtbr@TotalRecipeSearch_14.com => value deleted successfully.
C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin => Moved successfully.
C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\odbbfaealmlpnodchplhdomkgpdkeeal => Moved successfully.
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\odbbfaealmlpnodchplhdomkgpdkeeal" => Key deleted successfully.
C:\Program Files (x86)\RebateInformer\Chrome\rebateinformer_c.crx => Moved successfully.
TotalRecipeSearch_14Service => Service stopped successfully.
TotalRecipeSearch_14Service => Service deleted successfully.
C:\Program Files (x86)\TotalRecipeSearch_14 => Moved successfully.
L1C => Service deleted successfully.
MpKsl42d64876 => Service deleted successfully.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{AF808758-C780-404C-A4EE-4526323FD9B6} => Key not found.
"HKU\S-1-5-21-2448695844-2399511112-415270793-1000_Classes\CLSID\{D4AB823B-3EBC-477B-AA5B-D7061C9E83B0}" => Key deleted successfully.
EmptyTemp: => Removed 300.3 MB temporary data.

The system needed a reboot.

==== End of Fixlog 22:56:41 ====



#4 GarySS

GarySS
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 04 February 2015 - 12:21 AM

adwcleaner report -

 

# AdwCleaner v4.109 - Report created 03/02/2015 at 23:17:35
# Updated 24/01/2015 by Xplode
# Database : 2015-02-03.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Gary - TOSHIBA
# Running from : C:\Users\Gary\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RebateInformer
Folder Deleted : C:\Program Files (x86)\Inbox.com
Folder Deleted : C:\Program Files (x86)\RebateInformer
Folder Deleted : C:\Program Files (x86)\CouponAlert_2pEI
Folder Deleted : C:\Users\Gary\AppData\LocalLow\RebateInformer
Folder Deleted : C:\Users\Gary\AppData\Roaming\OpenCandy
Folder Deleted : C:\Users\Gary\AppData\Roaming\pccustubinstaller
Folder Deleted : C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
File Deleted : C:\alotserviceruntime.log

***** [ Scheduled Tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Client
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Script
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server
Key Deleted : HKLM\SOFTWARE\Classes\CShared.TB4Server2
Key Deleted : HKLM\SOFTWARE\Classes\RebateI.Rebate Informer BHO
Key Deleted : HKLM\SOFTWARE\Classes\RebateI.RebateInformImageGen
Key Deleted : HKLM\SOFTWARE\Classes\RebateInf.RebateInfObj
Value Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [TotalRecipeSearch_14 Browser Plugin Loader]
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{183643C8-EE67-4574-9A38-927852E34163}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{54ECA872-DB2A-4C6B-BBB2-F3777C6786CC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DB35C569-5624-4CFC-8043-E5139F55A073}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{438B047C-C041-4D15-98CF-A97C6B366C28}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{506F578A-91E1-46CE-830F-E2F4268E9966}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{23B38049-323F-443D-9732-F454E5B15B72}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{CCB69577-088B-4004-9ED8-FF5BCC83A039}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{FD79F359-E577-46DB-AA74-D6E6B8B45BA8}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{004EB151-885B-4A9E-A22D-CA98DD998D75}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{23119123-0854-469D-807A-171568457991}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3B181CF2-878B-4758-8FBD-59D8AC5AB12D}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{5F701D7D-C869-41F0-B0E2-8136F02B539C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A786F51D-B3C7-4F52-91EF-E1A892C2A2AE}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EAB77009-B974-48DF-8229-E70CFAA11C69}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EBAA6283-B61F-4DDD-9659-56635433A307}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EFB4F034-3EB5-48D5-84DD-89BBCF9A182F}
Key Deleted : HKCU\Software\CToolbar
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\Rebate Informer
Key Deleted : HKLM\SOFTWARE\CToolbar
Key Deleted : HKLM\SOFTWARE\systweak
Key Deleted : HKLM\SOFTWARE\CouponAlert_2pEI
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4EF645BD-65B0-4F98-AD56-D0437B7045F6}_is1
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - <local>

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

-\\ Google Chrome v

[C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

-\\ Chromium v

[C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Gary\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [6400 octets] - [03/02/2015 23:12:17]
AdwCleaner[S0].txt - [6556 octets] - [03/02/2015 23:17:35]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [6616 octets] ##########



#5 GarySS

GarySS
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:45 PM

Posted 04 February 2015 - 02:39 AM

Step3 completed -

 

Emsisoft Emergency Kit - Version 9.0
Last update: 2/3/2015 11:27:51 PM
User account: Toshiba\Gary

Scan settings:

Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start: 2/3/2015 11:37:38 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{03F3147C-CEA6-4AAE-B0AE-8D8ABE7A8080}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2502086B-5A46-4D05-8D5B-A1E77AB8BB32}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{396A4E14-83E7-4941-B0D9-B598E1B97197}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{76F3207C-3A0A-461B-B958-5653C5718243}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{895F3DBD-2484-4A14-A0EA-C3252EBB0FF7}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8C4B563E-52A1-4A10-B700-F8BF1CD7B726}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{96B8A0EF-0D9D-4A92-B548-376DB4BBB58B}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9E5C950C-93F2-46B4-A47E-8450FFF4D841}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A4503EC3-1111-4B62-8F46-0D88508F8A7B}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A9C524BF-4044-402A-AA00-8C3B3DA86125}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B38FBAED-DED1-4BA6-BA2E-F2515FD49442}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5EDE79D-B004-47DD-93F9-152B0D145914}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D0690E53-168C-4632-99B2-5700228F760F}  detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\TOTALRECIPESEARCH_14  detected: Application.InstallAd (A)

Scanned 191113
Found 14



#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:45 PM

Posted 04 February 2015 - 10:36 AM

Please run FRST and post the new FRST.txt. How is the computer running now?


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:45 PM

Posted 08 February 2015 - 09:10 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 1-3 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:45 PM

Posted 10 February 2015 - 09:38 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users