Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having some issues with a redirect virus/malware on my PC.


  • Please log in to reply
15 replies to this topic

#1 Bluefin13

Bluefin13

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 07 September 2015 - 01:30 PM

Good Afternoon,

 

 

Recently I made the mistake of hitting a bad download link and now I have some issues with my PC.

 

A few fuax programs like PC cleaning software and crossbrowse was installed. Macafee seemed like it took care of all problems in the PC itself, but as soon as I log into the internet, I get redirected to various websites that are definitely not legitimate.

 

I used your services years ago, and I'm hoping you can help me out once again. Thanks in advance.



BC AdBot (Login to Remove)

 


#2 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 07 September 2015 - 02:28 PM

 Hello Bluefin13 and welcome back,

 

Please download Rkill to your Desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe
http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/
 

§  Double-click on the Rkill desktop icon to run the tool.

§  If using Windows Vista, 7, 8 or 10 right-click on it and choose Run As Administrator.

§  black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.

§  If not, delete the file, then download and use the one provided in Link 2.

§  Do not reboot until instructed.

§  If the tool does not run from any of the links provided, please let me know.

If normal mode still doesn't work, run the tool from Safe Mode.

When the scan is done Notepad will open with rKill log.
Post it in your next reply.

NOTE. rKill.txt log will also be present on your desktop.

------------

 

Please download Malwarebytes Anti-Malware (MBAM) to your desktop.
NOTE. If you already have MBAM 2.0 installed scroll down.

 

§  Double-click mbam-setup-2.x.x.xxxx.exe and follow the prompts to install the program.

§  At the end, be sure a checkmark is placed next to the following:
 

o    Launch Malwarebytes Anti-Malware

o    A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.

 

§  Click Finish.

§  On the Dashboard, click the 'Update Now >>' link

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the 'Scan Now >>' button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.


If you already have MBAM 2.0 installed:
 

§  On the Dashboard, click the 'Update Now >>' link.

§  After the update completes, on Settings tab, set under Detection and Protection next options: 

1. 'Scan for rootkits'

2. Non-Malware Protection, for 'PUP detections', check, 'Threat detections as malware' option.

§  Return to Dashboard, click the Scan Now >> button.

§  A Threat Scan will begin.

§  When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.

§  In most cases, a restart will be required.

§  Wait for the prompt to restart the computer to appear, than click on Yes.

§  After the restart once you are back at your desktop, open MBAM once more.

§  Click on the History tab > Application Logs.

§  Double click on the Scan Log which shows the Date and time of the scan just performed.

§  Click 'Export'.

§  Click 'Copy to Clipboard'

§  Paste the contents of the clipboard into your reply.

------------

 

Please download AdwCleaner by Xplode onto your desktop.

§  Close all open programs and internet browsers.

§  Double click on adwcleaner.exe to run the tool.

§  In EULA window click I agree.

§  In Options uncheck Reset Winsock settings.

§  Click on Scan button.

§  When the scan has finished click on Cleaning button.

§  Your computer will be rebooted automatically. A text file will open after the restart.

§  Please post the contents of that logfile with your next reply.

§  You can find the logfile at C:\AdwCleaner[C1].txt as well.

---------

 

Please download Junkware Removal Tool to your desktop.

§  Shut down your protection software now to avoid potential conflicts.

§  Run the tool by double-clicking it. If you are using Windows Vista, 7, 8 or 10; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

§  The tool will open and start scanning your system.

§  Please be patient as this can take a while to complete depending on your system's specifications.

§  On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

§  Post the contents of JRT.txt into your next message.

---------------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#3 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 07 September 2015 - 09:34 PM

Hello again,

 

Here is Rkill:

 

 

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html
 
Program started at: 09/07/2015 05:40:59 PM in x64 mode.
Windows Version: Windows 10 Home
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Active Proxy Server Detected
 
 * Proxy Disabled.
 * ProxyOverride value deleted.
 * ProxyServer value deleted.
 * AutoConfigURL value deleted.
 * Proxy settings were backed up to Registry file.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Backup Registry file created at:
 C:\Users\Chris\Desktop\rkill\rkill-09-07-2015-05-41-02.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity:
 
 * No issues found.
 
Searching for Missing Digital Signatures:
 
 * No issues found.
 
Checking HOSTS File:
 
 * No issues found.
 
Program finished at: 09/07/2015 05:49:11 PM
Execution time: 0 hours(s), 8 minute(s), and 12 seconds(s)

Malwarebytes:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/7/2015
Scan Time: 7:35 PM
Logfile: mlb.txt
Administrator: Yes
 
Version: 2.1.8.1057
Malware Database: v2015.09.07.04
Rootkit Database: v2015.08.16.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Chris
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 399580
Time Elapsed: 1 hr, 4 min, 27 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 7
PUP.Optional.TVTime, C:\ProgramData\yxMTklX\QEruPKJw.exe, 2740, Delete-on-Reboot, [bf5168c58a01ca6cfd92932caf520cf4]
Trojan.Downloader, C:\Program Files (x86)\Windows Discount\FindingDiscount\findingdiscount.exe, 3492, Delete-on-Reboot, [fa168ba2593249eddc553e4752b0659b]
PUP.Optional.MultiPlug, C:\Program Files (x86)\4C4C4544-1441552465-3810-8058-CAC04F315731\hnskBFA9.tmp, 2628, Delete-on-Reboot, [fa16b87586056bcb7e6b851b9272f40c]
PUP.Optional.MultiPlug, C:\Program Files (x86)\4C4C4544-1441552465-3810-8058-CAC04F315731\jnsbA9FC.tmp, 2272, Delete-on-Reboot, [fa16b87586056bcb7e6b851b9272f40c]
PUP.Optional.MultiPlug, C:\Program Files (x86)\4C4C4544-1441552465-3810-8058-CAC04F315731\knsm561F.tmp, 11852, Delete-on-Reboot, [fa16b87586056bcb7e6b851b9272f40c]
PUP.Optional.FindingDiscount, C:\Program Files (x86)\Windows Discount\FindingDiscount\findingdiscount.exe, 3492, Delete-on-Reboot, [6ba572bb27646acc9a57c74314ef758b]
PUP.Optional.RuntimeManager, C:\Program Files (x86)\Windows NT\Accessories\RuntimeManager\runtimemanager.exe, 2620, Delete-on-Reboot, [fa16cd6059327cba66b778a10201758b]
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 60
PUP.Optional.TVTime, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\QEruPKJw, Quarantined, [bf5168c58a01ca6cfd92932caf520cf4],
PUP.Optional.WebSteroids, HKLM\SOFTWARE\CLASSES\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [a769a08dd0bbc27433e18a57ba483ec2],
PUP.Optional.WebSteroids, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [a769a08dd0bbc27433e18a57ba483ec2],
PUP.Optional.WebSteroids, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}, Quarantined, [a769a08dd0bbc27433e18a57ba483ec2],
PUP.Optional.DynConIE, HKLM\SOFTWARE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [e9272d00eaa1b87e4debcb0fde248779],
PUP.Optional.DynConIE, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [e9272d00eaa1b87e4debcb0fde248779],
PUP.Optional.DynConIE, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}, Quarantined, [e9272d00eaa1b87e4debcb0fde248779],
PUP.Optional.ConsumerInput, HKU\S-1-5-18\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}, Quarantined, [35dbf33a9cef94a28225865312f09b65],
PUP.Optional.ConsumerInput, HKU\S-1-5-21-1978478827-3592529394-3494081741-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{B49699FC-1665-4414-A1CB-C4A2A4A13EEC}, Quarantined, [35dbf33a9cef94a28225865312f09b65],
PUP.Optional.MultiPlug, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\totyseku, Quarantined, [fa16b87586056bcb7e6b851b9272f40c],
PUP.Optional.MultiPlug, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\jimocoso, Quarantined, [fa16b87586056bcb7e6b851b9272f40c],
PUP.Optional.MultiPlug, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\tyxobiji, Quarantined, [fa16b87586056bcb7e6b851b9272f40c],
PUP.Optional.FlashBeat, HKLM\SOFTWARE\Flashbeat, Quarantined, [37d976b7761551e50245345bfd07b24e],
PUP.Optional.HighDefAction, HKLM\SOFTWARE\HighDefAction, Quarantined, [858b46e76b2046f02bd7019363a1f20e],
PUP.Optional.YorkNewCin, HKLM\SOFTWARE\YorkNewCin, Quarantined, [70a0f73668236cca734d68553cc825db],
PUP.Optional.CinemaPlus, HKLM\SOFTWARE\ARENAHD, Quarantined, [6da39499e4a75cdaae689ee4966ed828],
PUP.Optional.AnyProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\APSnotifierPP1, Delete-on-Reboot, [33dd230a1e6d3600de033e3c6e969d63],
PUP.Optional.AnyProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\APSnotifierPP2, Delete-on-Reboot, [d13f260715766ec8d9081862eb199c64],
PUP.Optional.AnyProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\APSnotifierPP3, Delete-on-Reboot, [977949e4a4e749ed9b460a708f758878],
PUP.Optional.MyPCBackup, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\LaunchPreSignup, Delete-on-Reboot, [3ed22706becdcb6bbad43170778d42be],
 
Adware cleaner:
 
# AdwCleaner v5.006 - Logfile created 07/09/2015 at 22:00:54
# Updated 06/09/2015 by Xplode
# Database : 2015-09-07.1 [Server]
# Operating system : Windows 10 Home  (x64)
# Username : Chris - CHRISPC
# Running from : C:\Users\Chris\Downloads\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum
 
***** [ Services ] *****
 
[-] Service Deleted : bsdriver
[-] Service Deleted : RuntimeManager
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\globalUpdate
[-] Folder Deleted : C:\Program Files (x86)\predm
[-] Folder Deleted : C:\Program Files (x86)\DailyPcClean Support
[-] Folder Deleted : C:\ProgramData\Browser
[-] Folder Deleted : C:\ProgramData\28341ff220e0446c9fff27c4493d622e
[-] Folder Deleted : C:\Users\Chris\AppData\Local\globalUpdate
[-] Folder Deleted : C:\Users\Chris\AppData\Local\SmartWeb
[-] Folder Deleted : C:\Users\Chris\AppData\LocalLow\{D2020D47-707D-4E26-B4D9-739C4F4C2E9A}
 
***** [ Files ] *****
 
[-] File Deleted : C:\END
[-] File Deleted : C:\Program Files\Common Files\System\SysMenu.dll
[-] File Deleted : C:\Program Files\Common Files\System\SysMenu64.dll
 
***** [ Shortcuts ] *****
 

***** [ Scheduled tasks ] *****
 
[-] Task Deleted : YTDownloader
[-] Task Deleted : YTDownloaderUpd
[-] Task Deleted : Microsoft\Windows\Multimedia\SMupdate3
[-] Task Deleted : Microsoft\Windows\Maintenance\SMupdate2
[-] Task Deleted : runTask
[-] Task Deleted : updateTask
 
***** [ Registry ] *****
 
[-] Key Deleted : HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SysMenuExt
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\SysMenu.DLL
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D813D5BB-EBC7-45F9-B8A4-36A305168069}
[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{425F4ABF-B8E4-402D-9E49-06E494EB8DBF}
[-] Key Deleted : HKCU\Software\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7D8DAE88-BC05-4578-8C29-E541FFBA5757}
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{14EF423E-3EE8-44AE-9337-07AC3F27B744}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5645E0E7-FC12-43BF-A6E4-F9751942B298}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C7BF8F4B-7BC7-4F42-B944-3D28A3A86D8A}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{020B1D4B-5738-4C77-9E19-4F173DD9B486}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{9C4EFBD5-1ADF-41E6-BE26-AF44326E30E4}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{A9582D7B-F24A-441D-9D26-450D58F3CD17}
[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{EE0D8859-2ED4-4B0D-9812-16865B9AFD65}
[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Compete
[-] Key Deleted : HKCU\Software\GlobalUpdate
[-] Key Deleted : HKCU\Software\Tutorials
[-] Key Deleted : HKCU\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[-] Key Deleted : HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\_CrossriderRegNamePlaceHolder_
[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}
[!] Key Not Deleted : [x64] HKCU\Software\GlobalUpdate
[!] Key Not Deleted : [x64] HKCU\Software\Tutorials
[!] Key Not Deleted : [x64] HKCU\Software\{3BDFD1D7-7A9B-4D29-80B3-D00E66E62885}
[!] Key Not Deleted : [x64] HKCU\Software\DAILYPCCLEAN
[-] Key Deleted : [x64] HKLM\SOFTWARE\YTDownloader
[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Compete
[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\Compete
 
***** [ Web browsers ] *****
 

*************************
 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [4204 bytes] ##########
 
And finally Junkware removal:
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.0 (08.31.2015:1)
OS: Windows 10 Home x64
Ran by Chris on Mon 09/07/2015 at 22:25:51.22
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 

~~~ Services
 
 
 
~~~ Tasks
 
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\runTask
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\SCTEBKIRFTQFWIPF
Successfully deleted: [Task] C:\WINDOWS\system32\tasks\updateTask
Successfully deleted: [Task] C:\WINDOWS\Tasks\SCTEBKIRFTQFWIPF.job
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{81AD3846-D70B-4686-AC8E-E5F7912B65B3}
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] C:\Users\Chris\Appdata\Local\installer
Successfully deleted: [Folder] C:\Users\Chris\Appdata\Local\tvtime
Successfully deleted: [Folder] C:\Users\Chris\Appdata\LocalLow\company
Successfully deleted: [Folder] C:\Users\Chris\Documents\add-in express
Successfully deleted: [Folder] C:\WINDOWS\system32\abis
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 09/07/2015 at 22:27:59.29
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Hope this helps.



#4 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 08 September 2015 - 02:00 AM

Do you still get redirected?


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#5 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 08 September 2015 - 05:58 AM

Yes, there is still some issues of being redireted. I am still seeing some of the hidden ads that send me to other links. Some  the links are displaying ads saying "Powered by Superba" if that helps.



#6 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 08 September 2015 - 07:38 AM

ESET Online Scanner

§  Click here to download the installer for ESET Online Scanner and save it to your Desktop.

§  Disable all your antivirus and antimalware software - see how to do that here.

§  Right click on esetsmartinstaller_enu.exe and select Run as Administrator.

§  Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.

§  Select Enable detection of potentially unwanted applications.

§  Click Advanced Settings, then place a checkmark in the following:

o    Remove found threats

o    Scan archives

o    Scan for potentially unsafe applications

o    Enable Anti-Stealth technology

§  Click Start to begin scanning.

§  ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.

§  When the scan is done, click List threats (only available if ESET Online Scanner found something).

§  Click Export, then save the file to your desktop.

Click Back, then Finish to exit ESET Online Scanner.

------

 

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).

  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Malware Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.

I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#7 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 09 September 2015 - 05:18 PM

Hello again,

 

ESET:

 

C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R003Z57.exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R2DQJD8.exe a variant of Win32/SBWatchman.G potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R5B4YWR.tmp a variant of Win32/Agent.RLD trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R5LPA29.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R6PURMN.exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R885KBF.exe MSIL/MyPCBackup.G potentially unwanted application deleted - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R9J8E6W.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RAV9T8I.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RAVFO5F.exe a variant of Win32/SpeedBit.G potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RBYL7BZ.exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RC2QSGB.exe a variant of Win32/ShopperPro.A potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RFQS410.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RGGIXJF.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RHMHINH.tmp a variant of Win32/Adware.ConvertAd.YO.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RNBKCAV.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RNIAC85.tmp a variant of Win32/Adware.ConvertAd.YO.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RO9FJX2.dll a variant of Win32/SpeedBit.F potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$ROJ8A43.exe a variant of Win32/SBWatchman.F potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RP9LB78.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RPL53WU.exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RQCKG5G.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RQYR0QC.exe a variant of Win32/Downloader.Agent.AS potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RW000W6.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RW1GMDT.exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RZJF9J6.tmp a variant of Win32/Adware.ConvertAd.XD.gen application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R35O40N\ioproduct.exe Win32/Agent.RLD trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R35O40N\ioprotect.exe a variant of Win32/Agent.RLD trojan cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$R7PDW0R\swf\swfxi.swf Win32/AnyProtect.H potentially unwanted application deleted - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RHM8MJV\newversion.exe multiple threats cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RRXUST9\Extracted\adv_35.exe Win32/Toolbar.Conduit.R potentially unwanted application cleaned by deleting - quarantined
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RS46I0C.tmp\TutoMultiofferUS.exe multiple threats cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Program Files\Common Files\System\SysMenu.dll.vir a variant of Win32/SpeedBit.F potentially unwanted application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\CPQOSMWD\BiTool[1].dll a variant of Win32/Somoto.K potentially unwanted application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\CPQOSMWD\policyname[1].exe a variant of Win32/Adware.ConvertAd.YM.gen application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\CPQOSMWD\Setup[1].exe a variant of Win32/ClientConnect.A potentially unwanted application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\M09ES1PX\spstub[2].exe a variant of Win32/ClientConnect.A potentially unwanted application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\SJYOY0HR\AnyProtect[1].exe Win32/AnyProtect.H potentially unwanted application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\SJYOY0HR\offer_7948[1].exe multiple threats cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\SJYOY0HR\SilentInstaller_dotnet4[1].exe a variant of MSIL/Adware.Imali.C application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\XMSGRQUJ\setup[1].exe Win32/Somoto.G potentially unwanted application deleted - quarantined
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\XMSGRQUJ\setup_gmsd_us[1].exe a variant of Win32/Adware.EoRezo.AZ application cleaned by deleting - quarantined
C:\Users\Chris\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\P83AFH1Y\landing[2].htm HTML/FakeAlert.AK trojan cleaned by deleting - quarantined
C:\Users\Chris\Downloads\ccsetup509.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined
C:\Windows.old\Users\Chris\AppData\Local\Temp\is360511915\687BF062_stp.MSI a variant of Win32/Systweak.L potentially unwanted application deleted - quarantined​

 

EMSISOFT:

 

Emsisoft Emergency Kit - Version 10.0
Last update: 9/9/2015 5:13:14 PM
User account: CHRISPC\Chris
 
Scan settings:
 
Scan type: Malware Scan
Objects: Rootkits, Memory, Traces, Files
 
Detect PUPs: On
Scan archives: Off
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off
 
Scan start: 9/9/2015 5:15:37 PM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG.ANIGIFPPG  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG.ANIGIFPPG.1  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG2.ANIGIFPPG2  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG2.ANIGIFPPG2.1  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\WORDSURFERAUTOUPDATECLIENT_RASAPI32  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\WORDSURFERAUTOUPDATECLIENT_RASMANCS  detected: Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SU  detected: Application.Toolbar (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR  detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS  detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN  detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS  detected: Setting.NoFolderOptions (A)
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RESXWY9.exe  detected: Gen:Variant.Adware.Graftor.232803 (B)
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\CPQOSMWD\DGChecker[1].exe  detected: Trojan.GenericKD.2702306 (B)
 
Scanned 78321
Found 13
 
Scan end: 9/9/2015 5:21:58 PM
Scan time: 0:06:21
 
C:\Users\Chris\AppData\Local\Microsoft\Windows\INetCache\IE\CPQOSMWD\DGChecker[1].exe Quarantined Trojan.GenericKD.2702306 (B)
C:\$Recycle.Bin\S-1-5-21-1978478827-3592529394-3494081741-1001\$RESXWY9.exe Quarantined Gen:Variant.Adware.Graftor.232803 (B)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS Quarantined Setting.NoFolderOptions (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN Quarantined Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS Quarantined Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR Quarantined Setting.DisableTaskMgr (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SU Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\WORDSURFERAUTOUPDATECLIENT_RASMANCS Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\WORDSURFERAUTOUPDATECLIENT_RASAPI32 Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG2.ANIGIFPPG2.1 Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG2.ANIGIFPPG2 Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG.ANIGIFPPG.1 Quarantined Application.Toolbar (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ANIGIFPPG.ANIGIFPPG Quarantined Application.Toolbar (A)
 
Quarantined 13
 
Still getting redirected at this point in time.



#8 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 10 September 2015 - 01:27 AM

Which browser do you use?

 

Can you try to use some other?

 

If you use Chrome:

Click on "Customize and control Google Chrome":
Click "Settings" then "Show advanced settings" at the bottom of the screen.
Click "Reset browser settings" button.
Restart Chrome.

 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#9 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 10 September 2015 - 05:16 PM

I am currently using Edge.

 

I reset everything and it looks like the problems have disappeared for the time being. I cannot tell if the PC was okay due to the browser changes or due to the PC being shut off after all the scans, but it seems okay now.



#10 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 11 September 2015 - 12:43 AM

OK. Tell me if you have problems. 

 

If not:

 

Empty your temp folders using TFC (Temporary File Cleaner)

§  Please download TFC by Old Timer and save it to your desktop.
alternate download link

§  Save any unsaved work. (TFC will close ALL open programs including your browser!)

§  Double-click on TFC.exe to run it. (If you are using Vista or above, right-click on the file and choose "Run As Administrator".)

§  Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

§  Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

---------

 

This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download  DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

§  Activate UAC (optional; some users prefer to keep it off)

§  Remove disinfection tools

§  Create registry backup

§  Purge System Restore

Now click "Run" and wait patiently.
Once finished, a logfile will be created. You don't have to attach it to your next reply.


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#11 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 11 September 2015 - 09:37 PM

I was able to run TFC, however I cannot get Delfix to work. It repeatedly states that it could not be downloaded.



#12 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 12 September 2015 - 02:03 AM

OK. I think that DelFix doesn't support Win 10. 

You can manually delete tools which we have used. 


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#13 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 13 September 2015 - 09:57 AM

OKay, I removed all of the programs. However, i noticed that my PC is not allowing 3rd party programs (iTunes, sketchup, etc, etc) to connect to the internet. Is this a possible affect from one of the programs here? If so, how do I rectify that?



#14 severac

severac

  • Members
  • 872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Serbia
  • Local time:05:05 PM

Posted 13 September 2015 - 10:09 AM

Are you using some firewall?

 

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:

§  Flush DNS

§  Report IE Proxy Settings

§  Reset IE Proxy Settings

§  Report FF Proxy Settings

§  Reset FF Proxy Settings

§  List IP configuration

§  List Winsock Entries

§  List last 10 Event Viewer log

§  List Installed Programs

Click Go and post the result (MTB.txt). A copy of MTB.txt will be saved in the same directory the tool is run.

-------

 

Download Security Check from here or here and save it to your Desktop.

§  Double-click SecurityCheck.exe

§  Follow the onscreen instructions inside of the black box.

§  Notepad document should open automatically called checkup.txt; please post the contents of that document.

-------


I would like to help you to remove malware. Let's look inside.   :busy:

But I don't know to solve all PC problems.  :smash: 

 


#15 Bluefin13

Bluefin13
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:11:05 AM

Posted 14 September 2015 - 08:49 PM

Neither one of them are compatible with Win10 it seems. I already reset Proxy, checked IPs, and did the basics. I also have Macafee but allowed programs to run through firewall and tried it disabled with no luck.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users