Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Adware Popups


  • Please log in to reply
11 replies to this topic

#1 Netflyer165

Netflyer165

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 21 April 2015 - 02:31 PM

Hello, I would like help ridding this PC of annoying ads.  I use Chrome and it is freezing when the ads come up.  'Ads by Coupon Finder' and other 'Ads by...' have come up... I tried to follow the standard removal guide.

 

Rkill

Malewarebytes

then reset the browser and specifically turned off the extensions...

Malewarebytes initially found issues and cleaned them but the problem remained... then I specifically went into the Chrome extension settings and removed the program that was doing it.  But, it comes back in a few days.

 

Please help :-)

 

 



BC AdBot (Login to Remove)

 


#2 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 21 April 2015 - 06:17 PM

Step 1: eScanAV.

 

Disable your antivirus prior to this scan.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Download the eScanAV Anti-Virus Toolkit (MWAV)
http://www.escanav.com/english/content/products/downloadlink/downloadcounter.asp?pcode=MWAV&src=english_dwn&type=alter
Save the file to your desktop.
Right click run as administrator.
A new icon will appear on your desktop.
Right click run as administrator on new icon.
Click on the update tab.
ZCDJtZN.png
Once you have updated the program, make sure the settings are the same as the picture below.
7DUFn5c.png
Once you have made sure the settings match the picture, hit the Scan & Clean button.
Upon scan completion, click View Log.
ApSVXsQ.png
Copy and paste entire log into your next reply.
Note: Reboot if needed to remove infections.

 

Step 2: Zemana

 

Run a full scan with Zemana antimalware.

http://www.zemana.us/product/zemana-antimalware/default.aspx

Install and select deep scan.

jdmyscF.jpg

Remove any infections found.

Then click on the icon in the pic below.

DOLGyto.jpg

Double click on the scan log, copy and paste here in your reply.

 

 

Step 3: Junkware Removal Tool.
 
Please download Junkware Removal Tool and save it on your desktop.

  • Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log is saved to your desktop and will automatically open.
  • Please post the JRT log.

Step 4: Adware Cleaner.
 
Please download AdwCleaner by Xplode onto your desktop.


  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.


#3 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 22 April 2015 - 10:38 AM

Thank you for helping me!  Here is my first log from step #1:

 

22 Apr 2015 10:03:13 [1230] - **********************************************************
22 Apr 2015 10:03:13 [1230] - MWAV - eScanAV AntiVirus Toolkit.
22 Apr 2015 10:03:13 [1230] - Copyright © MicroWorld Technologies
22 Apr 2015 10:03:13 [1230] - **********************************************************
22 Apr 2015 10:03:13 [1230] - Version 14.0.178 (C:\USERS\PIX\APPDATA\LOCAL\TEMP\MWAVSCAN.EXE)
22 Apr 2015 10:03:13 [1230] - Log File: C:\Users\Pix\AppData\Local\Temp\LOG\MWAV.LOG
22 Apr 2015 10:03:13 [1230] - MWAV Registered: TRUE
22 Apr 2015 10:03:13 [1230] - User Account: Pix (Administrator Mode)
22 Apr 2015 10:03:13 [1230] - OS Type: Windows Workstation [InstallType: Client]
22 Apr 2015 10:03:13 [1230] - OS: Windows 7 64-Bit [OS Install Date: 23 Jun 2010 09:35:54]
22 Apr 2015 10:03:13 [1230] - Ver: Professional Service Pack 1 (Build 7601)
22 Apr 2015 10:03:13 [1230] - System Up Time: 6 Days, 6 Hours, 38 Minutes, 1 Second
 
 
22 Apr 2015 10:03:13 [1230] - Parent Process Name : c:\Windows\explorer.exe
22 Apr 2015 10:03:13 [1230] - Windows Root  Folder: C:\Windows
22 Apr 2015 10:03:13 [1230] - Windows Sys32 Folder: C:\Windows\system32
22 Apr 2015 10:03:13 [1230] - Interface0 NameServer: 68.100.16.30,68.10.16.30
22 Apr 2015 10:03:13 [1230] - Local Fixed Drives: c:\,e:\
22 Apr 2015 10:03:13 [1230] - MWAV Mode(A): Scan and Clean files (for viruses, adware and spyware)
22 Apr 2015 10:03:13 [1230] - [CREATED ZIP FILE: C:\Users\Pix\AppData\Local\Temp\pinfect.zip]
22 Apr 2015 10:03:14 [1230] - Latest Date of files inside MWAV: Wed Apr 22 14:39:56 2015.
22 Apr 2015 10:03:14 [1230] - Loading/Creating FileScan Cache Database C:\ProgramData\MicroWorld\MWAV\ESCANDBY.MDB [Log: C:\Users\Pix\AppData\Local\Temp\LOG\ESCANDB.LOG]
22 Apr 2015 10:03:14 [1230] - Loaded/Created FileScan Cache Database...
22 Apr 2015 10:03:14 [1230] - Loading AV Library [DB]...
22 Apr 2015 10:03:21 [1230] - ArchiveScan: DISABLED
22 Apr 2015 10:03:21 [1230] - AV Library Loaded - MultiThreaded - 8 : [DB-DIRECT].
22 Apr 2015 10:03:21 [1230] - MWAV doing self scanning...
22 Apr 2015 10:03:21 [1230] - MWAV files are clean.
22 Apr 2015 10:03:21 [1230] - ArchiveScan: DISABLED
22 Apr 2015 10:03:21 [1230] - Virus Database Date: 22 Apr 2015
22 Apr 2015 10:03:21 [1230] - Virus Database Count: 5663976
22 Apr 2015 10:03:21 [1230] - Sign Version: 7.60238 [518990]
 
22 Apr 2015 10:35:57 [1230] - **********************************************************
22 Apr 2015 10:35:57 [1230] - MWAV - eScanAV AntiVirus Toolkit.
22 Apr 2015 10:35:57 [1230] - Copyright © MicroWorld Technologies
22 Apr 2015 10:35:57 [1230] - 
22 Apr 2015 10:35:57 [1230] - Support: support@escanav.com
22 Apr 2015 10:35:57 [1230] - Web: http://www.escanav.com
22 Apr 2015 10:35:57 [1230] - **********************************************************
22 Apr 2015 10:35:57 [1230] - Version 14.0.178[DB] (C:\USERS\PIX\APPDATA\LOCAL\TEMP\MWAVSCAN.EXE)
22 Apr 2015 10:35:57 [1230] - Log File: C:\Users\Pix\AppData\Local\Temp\LOG\MWAV.LOG
22 Apr 2015 10:35:57 [1230] - User Account: Pix (Administrator Mode)
22 Apr 2015 10:35:57 [1230] - Parent Process Name : c:\Windows\explorer.exe
22 Apr 2015 10:35:57 [1230] - Windows Root  Folder: C:\Windows
22 Apr 2015 10:35:57 [1230] - Windows Sys32 Folder: C:\Windows\system32
22 Apr 2015 10:35:57 [1230] - OS: Windows 7 64-Bit [OS Install Date: 23 Jun 2010 09:35:54]
22 Apr 2015 10:35:57 [1230] - Ver: Professional Service Pack 1 (Build 7601)
22 Apr 2015 10:35:57 [1230] - Latest Date of files inside MWAV: Wed Apr 22 14:39:56 2015.
 
22 Apr 2015 10:35:57 [1094] - Options Selected by User:
22 Apr 2015 10:35:57 [1094] - Memory Check: Enabled
22 Apr 2015 10:35:57 [1094] - Registry Check: Enabled
22 Apr 2015 10:35:57 [1094] - StartUp Folder Check: Enabled
22 Apr 2015 10:35:57 [1094] - System Folder Check: Enabled
22 Apr 2015 10:35:57 [1094] - Services Check: Enabled
22 Apr 2015 10:35:57 [1094] - Scan Spyware: Enabled
22 Apr 2015 10:35:57 [1094] - Scan Archives: Disabled
22 Apr 2015 10:35:57 [1094] - Drive Check: Enabled
22 Apr 2015 10:35:57 [1094] - All Drive Check :Disabled
22 Apr 2015 10:35:57 [1094] - Drive Selected = C:\
22 Apr 2015 10:35:57 [1094] - Folder Check: Enabled
22 Apr 2015 10:35:57 [1094] - Folder Selected = C:\
22 Apr 2015 10:35:57 [1094] - SCAN: All_Files [ANSI]
22 Apr 2015 10:35:57 [1094] - MWAV Mode(B): Scan and Clean files (for viruses, adware and spyware)
 
22 Apr 2015 10:35:57 [1094] - Scanning DNS Records...
22 Apr 2015 10:35:57 [1094] - Scanning Master Boot Record (User)...
22 Apr 2015 10:35:57 [1094] - Scanning Logical Boot Records...
22 Apr 2015 10:35:58 [1094] - ***** Scanning For Hidden Rootkit Processes *****
22 Apr 2015 10:35:58 [1094] - ***** Scanning For Hidden Rootkit Services *****
 
22 Apr 2015 10:35:59 [1094] - ***** Scanning Memory Files *****
 
22 Apr 2015 10:36:02 [1094] - ***** Scanning Registry Files *****
22 Apr 2015 10:36:04 [1094] - ERROR(3)!!! Invalid Entry cmdline = %SystemRoot%\system32\ntvdm.exe (in key HKLM64\SYSTEM\CurrentControlSet\Control\WOW). Action Taken: Removing it.
 
22 Apr 2015 10:36:05 [1094] - ***** Scanning StartUp Folders *****
22 Apr 2015 10:36:14 [0ce0] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\184-001457-00_Rev_A_GVCSetup64.exe) took 6006 ms
22 Apr 2015 10:36:41 [1268] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\AccuserverBackup\bin\mdac_typ.exe) took 7363 ms
22 Apr 2015 10:39:49 [1268] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\answerspics\Thumbs.db) took 8019 ms
22 Apr 2015 10:41:14 [1320] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\AnswersPictures\Thumbs.db) took 9641 ms
22 Apr 2015 10:42:40 [1074] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\Catalog Stuff 08\2008 Catalog Files\2007 edited Pagemaker Files\Graphics\Thumbs.db) took 7832 ms
22 Apr 2015 10:42:52 [0d8c] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\Catalog Stuff 08\factstoanswers\formlogo.zip) took 5148 ms
22 Apr 2015 10:42:53 [1320] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\catvpn.zip) took 5210 ms
22 Apr 2015 10:43:26 [13cc] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\FedExShipManager_2472.exe) took 19173 ms
22 Apr 2015 10:45:17 [13cc] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_159167_114471_Apr_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0cfc] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_170557_108820_Jun_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1268] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_142618_114862_Jan_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1074] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_165041_110363_May_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0468] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_148419_116663_Feb_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1268] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_187698_104297_Sep_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0ce0] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_153822_115589_Mar_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1268] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_203149_99599_Dec_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0cfc] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_181639_110228_Aug_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1074] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_193284_106107_Oct_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0468] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_198334_101106_Nov_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [0ce0] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_208622_98750_Jan_01_2013.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [1268] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_214635_97707_Feb_01_2013.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:45:17 [13cc] - C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_175975_107526_Jul_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 10:46:30 [0d8c] - ScanFile (C:\Users\Pix\Downloads\Desktop\SharedFromOld XP\PPUstuff\PPU UNMARKED Pics\Thumbs.db) took 9625 ms
 
22 Apr 2015 10:53:34 [1094] - ***** Scanning Service Files *****
22 Apr 2015 10:53:38 [1094] - ERROR(2)!!! Invalid Entry \??\C:\ComboFix\catchme.sys. Action Taken: Removing HKLM64\SYSTEM\CurrentControlSet\Services\catchme.
22 Apr 2015 10:53:56 [1094] - Giving rights(a) to [HKLM64\SYSTEM\CurrentControlSet\Services\TrkWks].
 
22 Apr 2015 10:54:01 [1094] - ***** Scanning Registry and File system for Adware/Spyware *****
22 Apr 2015 10:54:02 [1094] - Loading Spyware Signatures from new External Database [Name: C:\Users\Pix\AppData\Local\Temp\spydb.avs, Size: 464724]...
22 Apr 2015 10:54:02 [1094] - Indexed Spyware Databases Successfully Created...
 
22 Apr 2015 10:54:03 [1094] - Offending file found: C:\Users\Pix\Downloads\USB2\USBMONIT.EXE
22 Apr 2015 10:54:03 [1094] - System found infected with PurityScan Spyware/Adware (USBMONIT.EXE)! Action taken: File Deleted.
22 Apr 2015 10:54:03 [1094] - Object "PurityScan Spyware/Adware" found in File System! Action Taken: File Deleted.
 
22 Apr 2015 10:54:04 [1094] - Offending Registry Entry found: HKCU\SOFTWARE\Wget
22 Apr 2015 10:54:04 [1094] - System found infected with Backdoor (IRCBot) Trojans Spyware/Adware (HKCU\SOFTWARE\Wget)! Action taken: Entries Removed.
22 Apr 2015 10:54:04 [1094] - Object "Backdoor (IRCBot) Trojans Spyware/Adware" found in File System! Action Taken: Entries Removed.
 
22 Apr 2015 10:54:04 [1094] - Offending Registry Entry found: HKCU\Software\Microsoft\OLE
22 Apr 2015 10:54:04 [1094] - System found infected with Backdoor (IRCBot) Trojans Spyware/Adware (HKCU\Software\Microsoft\OLE)! Action taken: Entries Removed.
22 Apr 2015 10:54:04 [1094] - Object "Backdoor (IRCBot) Trojans Spyware/Adware" found in File System! Action Taken: Entries Removed.
 
22 Apr 2015 10:54:04 [1094] - Offending Registry Entry found: HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers
22 Apr 2015 10:54:04 [1094] - System found infected with AntiSpyware Pro XP Corrupted Adware/Spyware (HKCU\Software\Microsoft\Windows\CurrentVersion\Drivers)! Action taken: Entries Removed.
22 Apr 2015 10:54:04 [1094] - Object "AntiSpyware Pro XP Corrupted Adware/Spyware" found in File System! Action Taken: Entries Removed.
 
 
22 Apr 2015 10:54:04 [1094] - ***** Scanning Registry Files *****
22 Apr 2015 10:54:04 [1094] - ** Value in HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\main/Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
22 Apr 2015 10:54:04 [1094] - ** Deleted Value of "NoComponents" in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop". Its value was DWORD:1.
22 Apr 2015 10:54:04 [1094] - ** Deleted Value of "NoAddingComponents" in "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop". Its value was DWORD:1.
22 Apr 2015 10:54:05 [1094] - ** Value in 64-bit HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\main/Start Page = http://go.microsoft.com/fwlink/p/?LinkId=255141
22 Apr 2015 10:54:05 [1094] - ** Value in HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main/Start Page = www.google.com
22 Apr 2015 10:54:05 [1094] - ** Value in 64-bit HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main/Start Page = about:blank
22 Apr 2015 10:54:05 [1094] - ** Value in HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\main/Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
22 Apr 2015 10:54:05 [1094] - ** Value in 64-bit HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\main/Start Page = about:blank
 
22 Apr 2015 10:54:05 [1094] - ***** Scanning System32 Folders *****
 
22 Apr 2015 10:54:49 [0d8c] - ScanFile (C:\Users\Pix\AppData\Local\Temp\CitrixUpdates\GoToMeeting\2553\G2MCoreInstExtractor.exe) took 5226 ms
 
22 Apr 2015 10:55:06 [1094] - ***** Scanning Drive C:\ *****
22 Apr 2015 10:56:14 [0cfc] - ScanFile (C:\OEM\Preload\Autorun\DRV\AMD VGA Generic Driver\Packages\Drivers\Display\W76A_INF\B_94187\atioglxx.dl_) took 5163 ms
22 Apr 2015 10:57:27 [1074] - ScanFile (C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE) took 10296 ms
22 Apr 2015 10:59:33 [0cfc] - Scanning File C:\Program Files (x86)\Gateway\Registration\Gateway\Languages\Româna_RO.ui
22 Apr 2015 10:59:33 [0ce0] - Scanning File C:\Program Files (x86)\Gateway\Registration\Gateway\Languages\Lietuviu_LT.ui
22 Apr 2015 10:59:33 [0d8c] - Scanning File C:\Program Files (x86)\Gateway\Registration\Gateway\Languages\Slovencina_SK.ui
22 Apr 2015 10:59:33 [1074] - Scanning File C:\Program Files (x86)\Gateway\Registration\Gateway\Languages\Ceština_CS.ui
22 Apr 2015 11:01:41 [1074] - Scanning File C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:41 [0d8c] - Scanning File C:\System Volume Information\{2846b8cc-e37a-11e4-baab-4487fc92454c}{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:41 [13cc] - Scanning File C:\System Volume Information\{1ee51971-e5ed-11e4-9e12-4487fc92454c}{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:41 [0d8c] - Scanning File C:\System Volume Information\{a781fa47-e377-11e4-bf4c-4487fc92454c}{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:41 [1074] - Scanning File C:\System Volume Information\{a781fa43-e377-11e4-bf4c-4487fc92454c}{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:41 [13cc] - Scanning File C:\System Volume Information\{d3d7de46-e2bf-11e4-846b-4487fc92454c}{3808876b-c176-4e48-b7ae-04046e6cc752}
22 Apr 2015 11:01:51 [0ce0] - ScanFile (C:\Qoobox\Quarantine\C\Users\Public\184-001457-00_Rev_A_GVCSetup64.exe.vir) took 10702 ms
22 Apr 2015 11:02:06 [1320] - ScanFile (C:\Users\Pix\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.7.796\_platform_specific\win_x86\widevinecdm.dll) took 5055 ms
22 Apr 2015 11:06:01 [0d8c] - ScanFile (C:\Users\Pix\Downloads\RCATSetup.exe) took 6505 ms
22 Apr 2015 11:09:01 [0cfc] - ScanFile (C:\Users\Public\answerspics\Thumbs.db) took 14227 ms
22 Apr 2015 11:11:21 [1074] - ScanFile (C:\Users\Public\Catalog Stuff 08\2008 Catalog Files\2007 edited Pagemaker Files\Graphics\Thumbs.db) took 6879 ms
22 Apr 2015 11:11:40 [0ce0] - ScanFile (C:\Users\Public\catvpn.zip) took 8424 ms
22 Apr 2015 11:11:42 [0468] - ScanFile (C:\Users\Public\chromeinstall-7u67 (1).exe) took 9391 ms
22 Apr 2015 11:12:12 [0cfc] - ScanFile (C:\Users\Public\finaletemp\Finale 2005 for Windows=Music Notation Software=FULL\Finale.2005.r2.Final\Setup\SETUP_ttdown.com.exe) took 22604 ms
22 Apr 2015 11:12:12 [0cfc] - Scanning of C:\Users\Public\finaletemp\Finale 2005 for Windows=Music Notation Software=FULL\Finale.2005.r2.Final\Setup\SETUP_ttdown.com.exe Timed out!!!
22 Apr 2015 11:13:33 [0d8c] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_153822_115589_Mar_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [13cc] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_170557_108820_Jun_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [1074] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_165041_110363_May_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0ce0] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_159167_114471_Apr_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [1320] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_142618_114862_Jan_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0cfc] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_148419_116663_Feb_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0468] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_175975_107526_Jul_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [13cc] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_187698_104297_Sep_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0ce0] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_198334_101106_Nov_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0d8c] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_181639_110228_Aug_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [1074] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_193284_106107_Oct_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [1320] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_203149_99599_Dec_01_2012.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0cfc] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_208622_98750_Jan_01_2013.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:13:33 [0468] - C:\Users\Public\PayPal and Pay Leap\Payleap-Merchant_Statement_434371648883_214635_97707_Feb_01_2013.pdf not Scanned. Possibly password protected...
22 Apr 2015 11:14:23 [0d8c] - ScanFile (C:\Users\Public\PPUstuff\PPU UNMARKED Pics\Thumbs.db) took 8283 ms
22 Apr 2015 11:14:39 [1268] - ScanFile (C:\Users\Public\X17-75161.exe) took 5523 ms
22 Apr 2015 11:16:14 [0ce0] - ScanFile (C:\Windows\Installer\$PatchCache$\Managed\00004109D30000000100000000F01FEC\14.0.4763\MSPUB.EXE) took 5975 ms
22 Apr 2015 11:16:15 [0468] - ScanFile (C:\Windows\Installer\$PatchCache$\Managed\00004109D30000000100000000F01FEC\14.0.4763\MSACCESS.EXE) took 7800 ms
22 Apr 2015 11:16:21 [1074] - ScanFile (C:\Windows\Installer\$PatchCache$\Managed\00004109D30000000100000000F01FEC\14.0.4763\OUTLOOK.EXE) took 10031 ms
22 Apr 2015 11:16:42 [0d8c] - ScanFile (C:\Windows\Installer\5aff5c3.msp) took 5257 ms
22 Apr 2015 11:16:45 [0468] - ScanFile (C:\Windows\Installer\578d7fe.msp) took 9391 ms
22 Apr 2015 11:16:49 [0ce0] - ScanFile (C:\Windows\Installer\789a0.msp) took 5148 ms
22 Apr 2015 11:16:51 [13cc] - ScanFile (C:\Windows\Installer\78968.msp) took 7691 ms
22 Apr 2015 11:16:51 [0cfc] - ScanFile (C:\Windows\Installer\5aff6fe.msp) took 9687 ms
22 Apr 2015 11:28:08 [1320] - ScanFile (C:\Windows\winsxs\x86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7601.18044_none_6e173b82127da724\ntkrnlpa.exe) took 6318 ms
 
22 Apr 2015 11:28:40 [1094] - ***** Checking for specific ITW Viruses *****
 
22 Apr 2015 11:28:41 [1094] - ***** Scanning complete. *****
 
22 Apr 2015 11:28:41 [1094] - Total Objects Scanned: 612771
22 Apr 2015 11:28:41 [1094] - Total Critical Objects: 4
22 Apr 2015 11:28:41 [1094] - Total Disinfected Objects: 0
22 Apr 2015 11:28:41 [1094] - Total Objects Renamed: 0
22 Apr 2015 11:28:41 [1094] - Total Deleted Objects: 4
22 Apr 2015 11:28:41 [1094] - Total Errors: 2
22 Apr 2015 11:28:41 [1094] - Time Elapsed: 00:51:59
22 Apr 2015 11:28:41 [1094] - Virus Database Date: 22 Apr 2015
22 Apr 2015 11:28:41 [1094] - Virus Database Count: 5663976
22 Apr 2015 11:28:41 [1094] - Sign Version: 7.60238 [518990]
 
22 Apr 2015 11:28:41 [1094] - Scan Completed.
 
 
Proceeding to Step #2


#4 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 22 April 2015 - 12:27 PM

After step #2:

Zemana AntiMalware 2.10.2.18 (Installed)
-------------------------------------------------------
Scan Result           : Completed
Scan Date             : 2015/4/22
Operating System      : Windows 7 64-bit
Processor             : 8X Intel® Core™ i7 CPU  860 @ 2.80GHz
BIOS Mode             : Legacy
CUID                  : 00D2C4265F65094B277229
Scan Type             : Deep Scan
Duration              : 45m 7s
Scanned Objects       : 194883
Detected Objects      : 6
Excluded Objects      : 0
Read Level            : SCSI
Auto Upload           : Yes
Show All Extensions   : No
Scan Documents        : Yes
Engines               : Zemana, Avira, Eset, Bitdefender, AVG, Kaspersky
 
 
Detected Objects
-------------------------------------------------------
GoogleUpdate.dll
   Status             : Scanned
   Object             : %programfiles%\google\chrome\application\googleupdate.dll
   MD5                : BF798224C03248B5B898A664BE03C8DA
   Publisher          : -
   Size               : 686592
   Version            : 37.0.2013.0
   Detections         : Eset: Win32/ExtenBro.AZ trojan
   Cleaning Action    : Quarantine
   Traces             :
                File - %programfiles%\google\chrome\application\googleupdate.dll
                Library - 3220 - C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
install_reader10_en_mssd_aih.exe
   Status             : Scanned
   Object             : %userprofile%\downloads\install_reader10_en_mssd_aih.exe
   MD5                : 1A8799AAF7D096DEC5471E89687E5D4F
   Publisher          : -
   Size               : 188667
   Version            : -
   Detections         : AVG: Suspicious
   Cleaning Action    : Quarantine
   Traces             :
                File - %userprofile%\downloads\install_reader10_en_mssd_aih.exe
 
DiscWizardSetup-14387.en.exe
   Status             : Scanned
   Object             : %userprofile%\downloads\discwizardsetup-14387.en.exe
   MD5                : ACF8F08C01FFB8F446D2349A4431FB68
   Publisher          : -
   Size               : 60422
   Version            : -
   Detections         : AVG: Suspicious
   Cleaning Action    : Quarantine
   Traces             :
                File - %userprofile%\downloads\discwizardsetup-14387.en.exe
 
2dviewereditordwgdxfplttiffcgm-setup.exe
   Status             : Scanned
   Object             : %userprofile%\downloads\2dviewereditordwgdxfplttiffcgm-setup.exe
   MD5                : 0D8A0B5224A580BCED51E46B9DFD6B35
   Publisher          : Cash Buyer Media
   Size               : 666608
   Version            : 4.0.0.1
   Detections         : Avira: PUA/DownloadAdmin.P, Eset: a variant of Win32/DownloadAdmin.I application
   Cleaning Action    : Quarantine
   Traces             :
                File - %userprofile%\downloads\2dviewereditordwgdxfplttiffcgm-setup.exe
 
epson13552[1].exe
   Status             : Scanned
   Object             : %localappdata%\microsoft\windows\temporary internet files\low\content.ie5\q0xip9ii\epson13552[1].exe
   MD5                : 5AEB4DB194A01E37120CD69E27963114
   Publisher          : -
   Size               : 1222076
   Version            : -
   Detections         : AVG: Suspicious
   Cleaning Action    : Quarantine
   Traces             :
                File - %localappdata%\microsoft\windows\temporary internet files\low\content.ie5\q0xip9ii\epson13552[1].exe
 
epson13552[1].exe
   Status             : Scanned
   Object             : %localappdata%\microsoft\windows\temporary internet files\low\content.ie5\126uwb4c\epson13552[1].exe
   MD5                : D24563046FBF2ED781E5750F01C4DEEE
   Publisher          : -
   Size               : 4795808
   Version            : -
   Detections         : AVG: Suspicious
   Cleaning Action    : Quarantine
   Traces             :
                File - %localappdata%\microsoft\windows\temporary internet files\low\content.ie5\126uwb4c\epson13552[1].exe
 
 
Cleaning Result
-------------------------------------------------------
Cleaned               : 6
Reported as safe      : 0
Failed                : 0


#5 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 22 April 2015 - 12:48 PM

After Step 3:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.0 (04.20.2015:1)
OS: Windows 7 Professional x64
Ran by Pix on Wed 04/22/2015 at 13:28:30.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/22/2015 at 13:30:23.36
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


#6 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 22 April 2015 - 02:40 PM

# AdwCleaner v4.201 - Logfile created 22/04/2015 at 13:50:44
# Updated 08/04/2015 by Xplode
# Database : 2015-04-22.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Pix - RUSSIII
# Running from : C:\Users\Pix\Downloads\Desktop\adwcleaner_4.201.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Pix\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKCU\Software\Local AppWizard-Generated Applications
Key Deleted : HKU\.DEFAULT\Software\Local AppWizard-Generated Applications
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17728
 
 
-\\ Mozilla Firefox v
 
 
-\\ Google Chrome v42.0.2311.90
 
[C:\Users\Pix\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Pix\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Pix\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - Deleted [Extension] : nmmhkkegccagdldgiimedpiccmgmieda
 
*************************
 
AdwCleaner[R0].txt - [3539 bytes] - [14/04/2015 11:03:57]
AdwCleaner[R1].txt - [3630 bytes] - [14/04/2015 11:42:09]
AdwCleaner[R2].txt - [1309 bytes] - [15/04/2015 09:54:58]
AdwCleaner[R3].txt - [1890 bytes] - [22/04/2015 13:49:49]
AdwCleaner[S0].txt - [417 bytes] - [14/04/2015 11:07:16]
AdwCleaner[S1].txt - [3341 bytes] - [14/04/2015 11:43:41]
AdwCleaner[S2].txt - [913 bytes] - [15/04/2015 09:55:58]
AdwCleaner[S3].txt - [1755 bytes] - [22/04/2015 13:50:44]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1814  bytes] ##########


#7 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 22 April 2015 - 02:42 PM

Should I do anything else?

 

Thank you!


Edited by Netflyer165, 22 April 2015 - 02:44 PM.


#8 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 22 April 2015 - 06:46 PM

Boot into Safe Mode With Networking. The first tool that we will use is Emsisoft Emergency Kit. , download and save the application to your desktop. Right Click the jN5wn3A.png icon and select Run As Administrator. Click on Extract.

YvNQ89G.png

Another similar icon will appear on your desktop, right click this one and Run as Administrator as well. When the program opens then select Update.

g2dQLzX.png

After the update if you see the screen below then select yes.

Qnpw3Dt.png

Now Click on the Scan button, do not start the scan yet.

NWDLpr3.png

Make sure to click yes to detect Pups.

EyL1lzA.jpg

Select the On scan completion button, then quarantine detected objects, then hit OK.

M6NLlEF.png

Now click on the Smart Scan (Recommended)

xqcvGKt.png

Allow the scan to complete. Upon Completion select Quarantine Selected. Make Certain All Items are Ticked

KFlm13h.png

Click OK upon the completion, of the program removing the infected files.

xLHwX5a.png

Reboot if needed to remove infected files, post the log here in your next reply.

 

 

Download Malwarebytes Anti-Rootkit to your desktop.

  • Double-click the icon to start the tool.
  • It will ask you where to extract make sure it is on the desktop.
  • Malwarebytes Anti-Rootkit needs to be run from an account with admin rights.
  • Click next to continue.
  • Then Click Update
  • Once the update is Finished select Next then Scan.
  • If no malware has been found, at the end of scan select Exit
  • If an infection was found, make sure to select all items and click Cleanup.
  • Reboot your machine.
  • Open the MBAR folder and paste the content of the following into your next reply:
  • mbar-log-{date} (xx-xx-xx).txt
  • system-log.txt

 

Eset Scan
 
Disable your antivirus prior to running this scan.
 
 
 esetonlinebtn.png
 

  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.


#9 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 24 April 2015 - 08:29 AM

Emsisoft Emergency Kit - Version 9.0
Last update: 4/23/2015 9:52:59 AM
User account: RUSSIII\Pix
 
Scan settings:
 
Scan type: Smart Scan
Objects: Rootkits, Memory, Traces, C:\Windows\, C:\Program Files\, C:\Program Files (x86)\
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 4/23/2015 10:50:02 AM
Key: HKEY_USERS\.DEFAULT\SOFTWARE\APPDATALOW\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} detected: Application.Bundle (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} detected: Application.Bundle (A)
Value: HKEY_USERS\S-1-5-21-2490889077-515205241-17541552-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-2490889077-515205241-17541552-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Key: HKEY_USERS\.DEFAULT\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F} detected: Application.Win32.InstallAd (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F} detected: Application.Win32.InstallAd (A)
 
Scanned 205124
Found 7
 
Scan end: 4/23/2015 11:17:57 AM
Scan time: 0:27:55
 
Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW\{1146AC44-2F03-4431-B4FD-889BC837521F} Quarantined Application.Win32.InstallAd (A)
Value: HKEY_USERS\S-1-5-21-2490889077-515205241-17541552-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_USERS\S-1-5-21-2490889077-515205241-17541552-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Quarantined Setting.DisableTaskMgr (A)
Key: HKEY_USERS\S-1-5-18\SOFTWARE\APPDATALOW\{12DA0E6F-5543-440C-BAA2-28BF01070AFA} Quarantined Application.Bundle (A)
 
Quarantined 5
 
 
Then Mbar came up clean with nothing in the log to report and Eset came up with all files clean, nothing found to report.


#10 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 24 April 2015 - 06:10 PM

How is your machine running now?



#11 Netflyer165

Netflyer165
  • Topic Starter

  • Members
  • 49 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 27 April 2015 - 08:52 AM

Seems to be working fine Dr. :-)  Thank you so much!



#12 InadequateInfirmity

InadequateInfirmity

    I Gots Me A Certified Edumication


  • Banned
  • 5,180 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 AM

Posted 27 April 2015 - 01:25 PM

Qualys BrowserCheck To update plugins.

Safe Browsing Tool Web of trust to keep away from shady sites.

Unchecky  To avoid bundled software.

Adblock Plus  To browse the web ad free.

Malwarebytes Anti-Exploit To block Zero day attacks.

Malwarebytes | StartUpLITE To disable un-needed start ups.

 

 

 

Download DelFix by "Xplode" to your Desktop.
Right Click the tool and Run as Admin ( Xp Users Double Click)
Put a check mark next the items below:


Remove disinfection tools
Create registry backup
Purge System Restore




Now click on "Run" button.
allow the program to complete its work.
all the tools we used will be removed.
Tool will create and open a log report (DelFix.txt)
Note: The report can be located at the following location C:\DelFix.txt






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users