Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus software repeatedly quarantines suspected files - Artemis!


  • This topic is locked This topic is locked
26 replies to this topic

#1 Randombloke99

Randombloke99

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 03:23 AM

Hi,

Stupidly trusted a link offering free software! my antivirus software went mental and started quarantining files

- Artemis! , Trojan FFZV! , RDN/Generic tfr!ej

 

Before i found your site i tried deleting whatever files i could find and shredded my temp inet files, but problems still persist!

 

Keep getting RunDLL errors popup:

C:\users\paul\appdata\local\temp\5d7c60e4-34b7-0f49-87de-ae9653cb53a4\ instsupp.dll

 

have run farbar, here are my results:

 

Attached File  FRST.txt   476.78KB   6 downloads

Attached File  Addition.txt   40.21KB   5 downloads

 

 

Many thanks



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 05:43 AM

Hello Randombloke99 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

===================================================

Uninstall programs

Uninstall this program:

Optimizer Pro v3.2


  • hold down the Windows logo key and press X to open a menu at the lower-left area of the screen
  • select Programs and Features from the menu
  • search and select the above program and click on Uninstall
  • reboot your computer.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please run FRST again and post the new log.

Logs to include with next post:

AdwCleaner log
JRT.txt
New Frst.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 06:54 AM

done as instructed.

now have lots and lots of popups in chrome!!!!!!

Attached Files



#4 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 06:57 AM

other files.

popups keep opening windows all over the place!

Attached Files

  • Attached File  FRST.txt   473.31KB   6 downloads
  • Attached File  JRT.txt   6.12KB   6 downloads


#5 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 07:18 AM

I haven't had a chance to even open your logs yet, let alone look at them so meanwhile let's try another scan which will be quicker to deal with if anything's found.

 

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 07:38 AM

rogue killer report

Attached File  roguekillerreport.txt   5.39KB   4 downloads



#7 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 07:50 AM

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • click on each ot the tabs and make sure everything is selected
     
  • then press the Delete button and post the log it produces.

Let me know if there is any change.
 

Please copy/paste any future logs in the post, not attach them.

 

Thanks


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 08:20 AM

I ran RK again and deleted everything, but the popups are now not letting me use the rest of the screen so I can't post the report as I'm having to type this from my phone!
It just seems to be getting worse!!
McAfee has come back on again and is trying to run its own scans, shall I reboot the computer and run all the programs again??
Cheers

#9 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 08:23 AM

Try running it in Safe mode.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 11:54 AM

Hi,

Think I'm finally getting somewhere! Ran all the software in safe mode including my virus checker - which came up with a few hits. quarantined and deleted those.

rebooted in normal mode and most of the popups have gone with the exception of 1. A box in the corner of my browser that simply says "Find people" with a text box and search button. - I can't seem to do anything to shift this one!

I've run all your software again and they've all come back pretty much clear apart from a couple of things. Is this the box that i'm seeing??

These are the most recent reports:

 

RogueKiller V10.9.0.0 [Jul  6 2015] by Adlice Software
 
Operating System : Windows 8.1 (6.3.9200 ) 64 bits version
Started in : Normal mode
User : Paul [Administrator]
Started from : C:\Users\Paul\Desktop\RogueKiller.exe
Mode : Scan -- Date : 07/07/2015 15:54:42
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 0 ¤¤¤
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD7500BPVX-60JC3T0 +++++
--- User ---
[MBR] 7809967f2c466e818b03e7dbb46fdf3a
[BSP] af905f9a23e138cb9727acf327ae044b : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 400 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 821248 | Size: 260 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1353728 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1615872 | Size: 690806 MB
4 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1416386560 | Size: 450 MB
5 - [SYSTEM][MAN-MOUNT]  | Offset (sectors): 1417308160 | Size: 350 MB
6 - [SYSTEM] Basic data partition | Offset (sectors): 1418024960 | Size: 23009 MB
User = LL1 ... OK
User = LL2 ... OK
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.3.5 (07.07.2015:2)
OS: Windows 8.1 x64
Ran by Paul on 07/07/2015 at 15:55:54.90
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
Successfully deleted: [Folder] C:\Users\Paul\appdata\local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp
 
[C:\Users\Paul\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\Paul\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
papbadoldddalgcjcicnikcfenodpghp
 
[C:\Users\Paul\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\Paul\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
  papbadoldddalgcjcicnikcfenodpghp
]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 07/07/2015 at 15:59:26.95
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
ADWCleaner was completely empty, can post a report if you wish.
 
Any suggestions on getting rid of anything else??
 
Cheers

 



#11 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 01:42 PM

Well done on doing that: so far so good but a bit of work needs to be done because your computer was quite infected.

 

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    
    createsrpoint;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
    
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 03:18 PM

here is the report. still have the "find people" box on browser screen 

 

 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Paul on 07/07/2015 at 20:55:46.06.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Paul\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
07/07/2015 20:58:17 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\Program Files\stinger deleted successfully
C:\Users\Paul\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Paul\AppData\Local\EmieSiteList deleted successfully
C:\Users\Paul\AppData\Local\EmieUserList deleted successfully
C:\Users\Paul\AppData\Local\MediaShow deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-2244896006-3119912588-1882875579-1001\Software\Microsoft\Internet Explorer\SearchScopes\{FE8AC6E5-2D42-46BC-B4BE-9AEE649D4B16} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{FE8AC6E5-2D42-46BC-B4BE-9AEE649D4B16} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FE8AC6E5-2D42-46BC-B4BE-9AEE649D4B16} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~3\mxYJWJjgOo deleted
C:\PROGRA~2\ae4af557-5442-4aad-b389-05f44f3ab090 deleted
C:\PROGRA~2\edfe9dd0-abf4-461e-8b07-323200e1a2f7 deleted
C:\PROGRA~3\Package Cache deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Shopping and Services deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
"C:\windows\Installer\dfdd.msi" deleted
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{4ED1F68A-5463-4931-9384-8FFF5ED91D92}"="C:\Program Files (x86)\McAfee\SiteAdvisor" [07/07/2015 12:03]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{4ED1F68A-5463-4931-9384-8FFF5ED91D92}"="C:\Program Files (x86)\McAfee\SiteAdvisor" [07/07/2015 12:03]
 
==== Chromium Look ======================
 
Google Chrome Version: 43.0.2357.132
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fheoggkfdfchfphceeifdbepaooicaho - C:\Program Files (x86)\McAfee\SiteAdvisor\McChPlg.crx[03/07/2015 15:26]
 
SiteAdvisor - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho
Chrome Hotword Shared Module - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg
Search People - Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp
 
==== Chromium Startpages ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences
her_ordinal":"y","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["notifications"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13078272209147355","lastpingday":"13080725981207287","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"https://mail.google.com/mail/ca"},"urls":["*://mail.google.com/mail/ca"]},"current_locale":"en_GB","default_locale":"en","description":"Fast, searchable email with less spam.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB","manifest_version":2,"name":"Gmail","options_page":"https://mail.google.com/mail/ca/#settings","permissions":["notifications"],"update_url":"http://clients2.google.com/service/update2/crx","version":"8.1"},"page_ordinal":"n","path":"pjkljhegncpnkpknbcohdijeoejaedia\\8.1_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false}}},"google":{"services":{"last_username":"paulcilia86@gmail.com","username":"paulcilia86@gmail.com"}},"homepage":"https://www.google.com/","homepage_is_newtabpage":false,"pinned_tabs":[],"prefs":{"preference_reset_time":"13080759300314887"},"protection":{"macs":{"browser":{"show_home_button":"3B2A9EBB0CF6FD8BA2526C2FA36C4DBD25CE737A87914E31F302A3587E49BEFB"},"default_search_provider":{"keyword":"155E87C739A40D77EE8A2E09F07C72A95EDBD86D71FCC290861AC09901A58859","name":"57A8744B676A8F7864AA0AEF0BD54188F8A58500A2C4F11319C7B1C589D40470","search_url":"FB66944CA6FB233D7BAE497A7A050833B3A37443B213192500238D500F232D96"},"default_search_provider_data":{"template_url_data":"B2E9CD4020DFECAE28E1B00C04739CDC341037B55BE661316DA4E5E6679DBC71"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":"6EA5750639E6D3AEA7409544181A6AA0D4DE88ECDF1033BC2EBD5437921707DE","aohghmighlieiainnegkcijnfilokake":"3390BFD50245A727DA734ACE176D9F48130238DB0313F32C7C2141BCD9907573","apdfllckaahabafndbhieahigkjlhalf":"83C63D26D3E7C7DD079FBE13C90B51DB8072ADFF79D4207CF1395FBCC8BFC4EC","bepbmhgboaologfdajaanbcjmnhjmhfn":"1C94365C13B02F662E69E0EA361F4635663E1EB199281DC23293DA7F78C2E50B","blpcfgokakmgnkcojhhkbfbldkacnbeo":"859A7B118641C0660686285C6F9EFCD79D0CAD3B6F8D41D60CDBA3312A5C1C17","coobgpohoikkiipiblmjeljniedjpjpf":"34C2FA75375729E80480A587027B3AB93B38533F2B3F158D3F2ADEC6E8F0C0E8","dnhpdliibojhegemfjheidglijccjfmc":"0D0328AF9CDCBE0DF30DFD39598784413DFFF221CA6001AC60337DB23E703D9E","eemcgdkfndhakfknompkggombfjjjeno":"3FA40A3134BDF3005FD2624C5C3D0D7B81CDD27B3D9BA2C1FC4D98FD7DCCD462","ennkphjdgehloodpbhlhldgbnhmacadg":"3D1D47B4E8CE8E07C82F019B3274F570B848CC1195DD51340A9BFBCF6A3A555F","fheoggkfdfchfphceeifdbepaooicaho":"84AE7301C8983AE6FF4FEB48FC4197F55C7137BA11E767D32B20B439EEF2565E","gfdkimpbcpahaombhbimeihdjnejgicl":"DF18A0846F5F517E323C67F682F44CD150C6EB9D2D474A10962C6BED6A9B434C","kmendfapggjehodndflmmgagdbamhnfd":"43F49723A0FB9414C1D75916B68ABC1F282C8DA23897876A306FAFB0595B9AF8","lccekmodgklaepjeofjdjpbminllajkg":"6BE07D2E5673A153D21B00561796884B2DE36AE89DCA928913FB14E20F1E9E43","mfehgcgbbipciphmccgaenjidiccnmng":"F543F5AEA4E033DE1A2AE9567B637E045F88B34971BC8B136BBEAF7CAFC6873D","mfffpogegjflfpflabcdkioaeobkgjik":"958BB7A7BCB384A116C01A47FF9413129629A876B2981DCCC1CE19046238F199","mgndgikekgjfcpckkfioiadnlibdjbkf":"C7664B1C787EFB613D23789D68B40A63D820DD2867400C67DF9D0D8B234944AC","mhjfbmdgcfjbbpaeojofohoefgiehjai":"81C8B061C3A13FDE5152C2E060DB49C9439694B946F1790C144D0E8FAB431AB2","nbpagnldghgfoolbancepceaanlmhfmd":"E544D3AB22CD97A0D93B09BCFE10BD22AC62DC58D0C1AEC9B1E84A929329B1CC","neajdppkdcdipfabeoofebfddakdcjhd":"369836C3BAED2A7CE2CF070810B625B036E7111479D18251CBBC632144E37C35","nkeimhogjdpnpccoofpliimaahmaaome":"0420C27F35938875A88F048E928E0D300B916D13C6F2ADC72C8E920493462FF1","nmmhkkegccagdldgiimedpiccmgmieda":"75D7F117EFCE2F5B7B3F316F8841BC043C728C58404B8D9808A10CFC7AD452D9","pafkbggdmjlpgkdkcbjmhmfcdpncadgh":"F5D173D55DA1DBFAAE330DCD2C5FF3A8E364B6CB5967D7CD40C93A7C5F3DC6E3","papbadoldddalgcjcicnikcfenodpghp":"9969DA61CB9B674FACEA69667162DDF203CA505665847A25D58B8568EAE6E273","pjkljhegncpnkpknbcohdijeoejaedia":"3D474BEA3AE263A87E5CCE756E05F5CCFB8385618AF1A4C2368F4F741E39CBD4"}},"google":{"services":{"last_username":"27A01F40BCC83CFCB54AC0F2236D4F18829CF4A448B70DEF497D873463FC8CAB","username":"0221BAC56B3095B2CA159DB1B0512CEAD349B15ABA366244E004738D0EAE57AA"}},"homepage":"A50D2D04D3479D3E891AC8326EAD2C69E9A94BEE4D9D02B7BCEF79F5D8E029FC","homepage_is_newtabpage":"F8982F21AC3C524F0DE0A2241D6110C97805A175EE4F66C32DCCB8F9881FAA8F","pinned_tabs":"7D56A9C5F09DF2875E677B9E12DD978FB38C821AF1468F890AB5BB2396481E3F","prefs":{"preference_reset_time":"3EFC10A936D85DA2D56148713A4F2BACDA1687AA5A31E09A315E0B3F746DF5BB"},"profile":{"reset_prompt_memento":"D4201763AB8980B7AF34206758B3915140BA337F5BC1E1F159E0651D8B68E04E"},"safebrowsing":{"incidents_sent":"C5723AC97816BBE7CEDC6024BD937B3AA6E83C8F38A9D64DDF64414F51C7FBB8"},"search_provider_overrides":"A184F544E48596D2FF1DE2617A91F8069C6A68737FE40E73E6AE379CDF939CDA","session":{"restore_on_startup":"FA1862C88A14C34EFDB02F331ABF3C6DCCE1330D5234B8B75517E433E9A77E2B","startup_urls":"B60B3F891AF1D5432CD85F39FC70C6D41C0CE8E7EB1E0897E6DACE5D0CE2A1D9"},"software_reporter":{"prompt_reason":"BCFDE6173F9941EAEABFA208A868A74BBF59E43AF7B75582A2D20CCD75ED63C8","prompt_seed":"BD11D3BDC0C66ABA4F74915B59A1505501BD9F74626A36D72226084EFD429FDD","prompt_version":"7888F2D11AF13F55AE9E1979181313CAD644729FCB27F777C8D70B912B3FD97B"},"sync":{"remaining_rollback_tries":"20A9F366195B957739EB1F70E1BF1BD8C938C52A2DF0C9231A0E10E8848C7E01"}},"super_mac":"D9E5392A93D1A9D479946B6619C38B60D1C255C7256160B3D99979F885E270AC"},"session":{"restore_on_startup":5,"startup_urls":[]},"sync":{"remaining_rollback_tries":0}}
 
 
==== Chromium Fix ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.rapidfinder.co.uk_0.localstorage deleted successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.rapidfinder.co.uk_0.localstorage-journal deleted successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.kusham00.kusham.net_0.localstorage deleted successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_static.kusham00.kusham.net_0.localstorage-journal deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
{D944BB61-2E34-4DBF-A683-47E505C587DC} eBay  Url="http://rover.ebay.com/rover/1/710-29550-11896-25/4"
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AA5C8F95DB19D324FB50908AF09398F8 deleted successfully
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{59F8C5AA-91BD-423D-BF05-09A80F39898F} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\AA5C8F95DB19D324FB50908AF09398F8 deleted successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=30 folders=13 26655102 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Paul\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Paul\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 07/07/2015 at 21:11:37.80 ======================
 


#13 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 07 July 2015 - 03:31 PM

The popup box is only in google chrome, internet explorer is not infected. would it help to uninstall chrome?



#14 satchfan

satchfan

  • Malware Response Team
  • 2,661 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:53 PM

Posted 07 July 2015 - 04:19 PM

Good work on what you've done so far.

 

 

he popup box is only in google chrome, internet explorer is not infected. would it help to uninstall chrome?

Please just follow the instructions for now and if I think that’s necessary I’ll let you know.


Important : Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe.

  • right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    
    chrdefaults;
    emptyalltemp;
    emptyclsid;
    
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the system drive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

After you've done that, please run AdwCleaner and FRST again and also send those new logs.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 Randombloke99

Randombloke99
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 08 July 2015 - 03:31 AM

Good Morning!

 

I have run Zoek, AdwCleaner and FSRT and it apears to have been sucessful regarding the "find people" box!

 

Here are the logs:

 

 

 
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Paul on 08/07/2015 at  8:59:01.02.
Microsoft Windows 8.1 6.3.9600  x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Paul\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
==== Older Logs ======================
 
C:\zoek-results2015-07-07-201137.log 13294 bytes
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
 
==== Reset Google Chrome ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences was reset successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal was reset successfully
 
==== Empty IE Cache ======================
 
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\Users\Paul\AppData\Local\Microsoft\Windows\INetCache\Low\IE emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE emptied successfully
 
==== Empty FireFox Cache ======================
 
No FireFox Profiles found
 
==== Empty Chrome Cache ======================
 
C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
No Java Cache Found
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=30 folders=13 26655102 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Paul\AppData\Local\Temp will be emptied at reboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\WINDOWS\Temp successfully emptied
C:\Users\Paul\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 08/07/2015 at  9:03:29.34 ======================
 

# AdwCleaner v4.207 - Logfile created 08/07/2015 at 09:08:02
# Updated 21/06/2015 by Xplode
# Database : 2015-07-05.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Paul - PAULS-LAPTOP
# Running from : C:\Users\Paul\Desktop\adwcleaner_4.207.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Extensions\papbadoldddalgcjcicnikcfenodpghp
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\databases\chrome-extension_papbadoldddalgcjcicnikcfenodpghp_0
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\papbadoldddalgcjcicnikcfenodpghp
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17840
 
 
-\\ Google Chrome v43.0.2357.132
 
 
*************************
 
AdwCleaner[R0].txt - [5206 bytes] - [07/07/2015 12:13:39]
AdwCleaner[R1].txt - [5435 bytes] - [07/07/2015 15:06:10]
AdwCleaner[R2].txt - [1233 bytes] - [07/07/2015 15:41:58]
AdwCleaner[R3].txt - [1294 bytes] - [07/07/2015 16:02:19]
AdwCleaner[R4].txt - [1532 bytes] - [08/07/2015 09:07:18]
AdwCleaner[S0].txt - [4779 bytes] - [07/07/2015 12:16:26]
AdwCleaner[S1].txt - [5146 bytes] - [07/07/2015 15:06:57]
AdwCleaner[S2].txt - [1362 bytes] - [07/07/2015 16:03:01]
AdwCleaner[S3].txt - [1463 bytes] - [08/07/2015 09:08:02]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S3].txt - [1522  bytes] ##########





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users