Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

overrun with viruses


  • This topic is locked This topic is locked
13 replies to this topic

#1 Dave Clark

Dave Clark

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 27 October 2015 - 08:32 AM

Hi
Was trying to rectify a problem on my computer and downloaded a tool from what I thought was a genuine site!
I've run my Mbam, which found loads af nasties then ran JRT which couldn't create a restore point but when continuing a virus then knocked out all my 3 search engines and when I clicked on anyone of them the computer whited out and hung. I want to validate my copy of windows which seemingly was not genuine and I don't know how long I've got before MS starts causing problems. I've been running my w7 for over 2 years. 

Regards

Dave
 
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 31 October 2015 - 10:16 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

ATTENTION: System Restore is disabled

How to: Turn System Restore ON or OFF - Windows
http://windows.microsoft.com/en-ca/windows/turn-system-restore-on-off#1TC=windows-7

Turn it ON.
++++++++++++++


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.oursurfing.com/?type=hp&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.oursurfing.com/web/?type=ds&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f&q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.oursurfing.com/?type=hp&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f&q={searchTerms}
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f&q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f&q={searchTerms}
SearchScopes: HKLM-x32 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = hxxp://www.oursurfing.com/web/?type=ds&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f&q={searchTerms}
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} -  No File
FF DefaultSearchEngine: Google (avast)
FF DefaultSearchUrl: hxxps://www.google.com/search/?trackid=sp-006
FF SearchEngineOrder.1: Google (avast)
FF Keyword.URL: hxxps://www.google.com/search/?trackid=sp-006
FF Homepage: hxxp://www.oursurfing.com/?type=hp&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f
FF NewTab: hxxp://www.oursurfing.com/newtab/?type=nt&ts=1445940195&z=f30979f3413b2805a358702gez7z6w0tez1e8g3t5w&from=amt&uid=samsungxssdx840xevox120gb_s1d5nead703894f
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
FF SearchPlugin: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default\searchplugins\google-avast.xml [2014-12-20]
FF SearchPlugin: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default\searchplugins\oursurfing.xml [2015-10-27]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-03-18]
S2 segusefe; C:\Program Files (x86)\52DF2A80-1445940312-11DD-A6B2-74D02B9D8534\jnso4CB9.tmp [X]
S2 swsesrvc_1.10.0.25; "C:\Program Files (x86)\SwiftSearch_1.10.0.25\Service\swsesrvc.exe" [X]
S2 xufyqike; C:\Users\admin\AppData\Local\52DF2A80-1445940366-11DD-A6B2-74D02B9D8534\snsuF808.tmp [X]
R1 swsedrvr_vt_1_10_0_25; C:\Windows\System32\drivers\swsedrvr_vt_1_10_0_25.sys [61304 2015-09-22] (SS)
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
CustomCLSID: HKU\S-1-5-21-934390965-3278854713-3396523229-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\admin\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-934390965-3278854713-3396523229-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\admin\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-934390965-3278854713-3396523229-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\admin\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-934390965-3278854713-3396523229-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\admin\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
ATTENTION: System Restore is disabled
Task: {573A0E5E-ED07-4C7A-B1AD-A4F24DC9600C} - System32\Tasks\SwiftSearch Auto Updater 1.10.0.25 Core => C:\Program Files (x86)\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe <==== ATTENTION
Task: {799794C1-D0AA-428E-A07B-0C7B4F489B99} - System32\Tasks\Qgjqkrwey => Rundll32.exe "C:\Windows\SysWOW64\BRLMW03A4.dll",chpjnzihiz
Task: {D98EF839-B3A7-4554-A83C-AD44AFE410AD} - System32\Tasks\avastBCLRestartS-1-5-21-934390965-3278854713-3396523229-1000 => Chrome.exe
Task: {EAFFDDF9-FD9E-476B-96BA-D65617DD108F} - System32\Tasks\SwiftSearch Auto Updater 1.10.0.25 Pending Update => C:\Program Files (x86)\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe <==== ATTENTION
Task: C:\Windows\Tasks\Qgjqkrwey.job => C:\Windows\system32\rundll32.exe0 C:\Windows\SysWOW64\BRLMW03A4.dll
C:\Program Files (x86)\SwiftSearch_1.10.0.25
C:\Windows\SysWOW64\BRLMW03A4.dll
C:\Windows\System32\drivers\swsedrvr_vt_1_10_0_25.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

How is the computer running now?

#3 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 31 October 2015 - 12:17 PM

Hi Nasdaq

Many thanks for coming to my aid.

Unfortunately as I couldn't search the internet properly I googled to see how to remove the oursurfing malware and I downloaded and ran the AdwareCleaner program which did seem to remove it. I've tried to carry out your instructions but without success. 

I ran FRST as per your instructions but the program froze and also the computer, the start button also disappeared! I had to manually restart and I tried again but with the same result. I then tried the AdwCleaner but after finding 4 bits of malware I pressed the Clean button and both AdwCleaner and the computer froze again!

 

The computer is running better since I got rid of oursurfing but I've still got problems surfing the internet. I have Chrome,Firefox & IE and all of them react in the same way. When I try to search the internet from the Home box it switches up to a search box top left of the screen but then nothing happens 9 times out of 10. This is so frustrating. Also surfing the internet from my bookmarks is much slower, the circle rotates anticlockwise for ages, then the no internet box appears then suddenly the page will load, again this is frustrating.

 

Dave



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 31 October 2015 - 01:32 PM

Were you able to set the System Restore to ON?

If not then remove the this Line (Command) from the Fixtlist.txt file and save the file

Did you place the Fixlist.txt file in the folder in bold?
C:\Users\admin\Desktop
Both the program and the Fixlist file must be in the same folder.

Run the FRST tool and click the fix button.

===

If some of the problems are still persisting continue.

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
emptyalltemp;
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

#5 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 01 November 2015 - 06:06 AM

Hi Nasdaq

Mixed success again,

The system restore was ON but set at restore data only.

The FRST and the fixlist.txt were both on the desktop. I tried running FRST again but after 1/2 hr nothing seemed to be happening the blue status bar wasn't moving. I clicked on the program box and a message appeared saying FRST was not responding. The computer was also completely hung up and I restarted manually. How long should I have left it? as it seemed to be doing nothing.

 

Your link to the Zoek file doesn't work but I found it on your site and below is the logfile.

 

I still have the same problem with the search on my web browsers as detailed in my post above

 

Kind Regards

 

Dave

 

 Zoek.exe v5.0.0.1 Updated 29-October-2015

Tool run by admin on 01/11/2015 at  9:09:40.51.
Microsoft Windows 7 Ultimate  6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\admin\Desktop\zoek (1).exe [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
01/11/2015 09:11:36 Zoek.exe System Restore Point Created Successfully.
 
==== Empty Folders Check ======================
 
C:\PROGRA~2\52DF2A80-1445940312-11DD-A6B2-74D02B9D8534 deleted successfully
C:\PROGRA~2\AGEIA Technologies deleted successfully
C:\Users\admin\AppData\Roaming\Opera deleted successfully
C:\Users\admin\AppData\Roaming\Opera Software deleted successfully
C:\Users\admin\AppData\Roaming\Vso deleted successfully
C:\Users\admin\AppData\Local\calibre-cache deleted successfully
C:\Users\admin\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\admin\AppData\Local\EmieSiteList deleted successfully
C:\Users\admin\AppData\Local\EmieUserList deleted successfully
C:\Users\admin\AppData\Local\Opera Software deleted successfully
 
==== Deleting CLSID Registry Keys ======================
 
 
==== Deleting CLSID Registry Values ======================
 
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default
 
user.js not found
---- Lines surfing removed from prefs.js ----
user_pref("browser.search.defaultenginename", "oursurfing");
---- Lines quick_start removed from prefs.js ----
user_pref("browser.newtab.url", "chrome://quick_start/content/index.html");
user_pref("extensions.quick_start.enable_search1", false);
user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);
---- FireFox user.js and prefs.js backups ---- 
 
prefs_112015_0954_.backup
 
ProfilePath: C:\Users\admin\AppData\Roaming\Thunderbird\Profiles\23g1sacs.default
 
user.js not found
---- FireFox user.js and prefs.js backups ---- 
 
prefs_112015_0954_.backup
 
ProfilePath: C:\Users\admin\AppData\Roaming\TomTom\HOME\Profiles\pir6a8vv.default
 
user.js not found
---- FireFox user.js and prefs.js backups ---- 
 
prefs_112015_0954_.backup
 
==== Batch Command(s) Run By Tool======================
 
 
==== Deleting Files \ Folders ======================
 
C:\PROGRA~2\52DF2A80-1445940312-11DD-A6B2-74D02B9D8534 not found
C:\PROGRA~2\AGEIA Technologies not found
C:\Users\admin\AppData\Roaming\calibre deleted
C:\Users\admin\AppData\Local\32727 deleted
C:\Users\admin\AppData\Roaming\pcouffin.log deleted
C:\Users\admin\AppData\Local\52DF2A80-1445940366-11DD-A6B2-74D02B9D8534 deleted
C:\windows\SysNative\Tasks\avastBCLRestartS-1-5-21-934390965-3278854713-3396523229-1000 deleted
C:\END deleted
C:\Users\admin\Documents\Updater deleted
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default\searchplugins\google-avast.xml deleted
"C:\Users\admin\AppData\Local\{152C7D79-F30D-4D45-A221-EA877085780E}" deleted
"C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default\searchplugins\oursurfing.xml" deleted
 
==== Firefox Start and Search pages ======================
 
ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default
user_pref("browser.startup.homepage", "https://www.google.co.uk/");
user_pref("browser.search.defaulturl", "https://www.google.com/search/?trackid=sp-006");
user_pref("browser.search.defaultengine", "Google (avast)");
user_pref("browser.search.selectedEngine", "Google");
 
==== Firefox Extensions Registry ======================
 
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{F003DA68-8256-4b37-A6C4-350FA04494DF}"="C:\Program Files\Logitech\SetPointP\LogiSmoothFirefoxExt" [15/10/2015 20:49]
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default
- Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF
- ChatZilla - %ProfilePath%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}
- FireFTP - %ProfilePath%\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}
- FireFTP button - %ProfilePath%\extensions\{9BAE5926-8513-417d-8E47-774955A7C60D}.xpi
 
ProfilePath: C:\Users\admin\AppData\Roaming\TomTom\HOME\Profiles\pir6a8vv.default
- Map status indicator - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\MapShare-status@tomtom.com
- TomTom HOME default theme - C:\Program Files (x86)\TomTom HOME 2\xul\extensions\baseTheme@tomtom.com
- Emulator - %ProfilePath%\extensions\Navcore.9.510.1234792@tomtom.com
 
AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- avast Ad Blocker - %AppDir%\extensions\adblocker@avast.com.xpi
 
==== Firefox Plugins ======================
 
Profilepath: C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\ufqovs35.default
18CF51689186AEB9D1D149AEB0E92D03 - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL - Microsoft Office 2013
863AF0003392FEBC2667A8A790DED955 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_226.dll - Shockwave Flash
7D127425BBE91DF37448A7F44C1DDA52 - C:\Users\admin\AppData\Local\Google\Update\1.3.28.15\npGoogleUpdate3.dll - Google Update
 
 
==== Chromium Look ======================
 
Google Chrome Version: 46.0.2490.80
 
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fplhdcjmbpfkejbhngmlngaecbjmoimd - C:\Program Files\AVAST Software\Avast\AdBlocker\Chrome\avast-adblocker-chrome.crx[25/02/2013 09:09]
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[18/03/2015 08:09]
 
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bbjllphbppobebmjpjcijfbakobcheof - No path found[]
 
 
==== Chromium Fix ======================
 
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_c.betrad.com_0.localstorage deleted successfully
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_c.betrad.com_0.localstorage deleted successfully
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d30ke5tqu2tkyx.cloudfront.net_0.localstorage deleted successfully
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.co.uk/"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page Redirect Cache"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
"Start Page Redirect Cache"="http://www.google.com"
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://google.co.uk/"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google  Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IESR02"
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-934390965-3278854713-3396523229-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
HKEY_USERS\S-1-5-21-934390965-3278854713-3396523229-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFCB3198-32F3-4E8B-9539-4324694ED663} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\FFPDFArchitectConverter@pdfarchitect.com deleted successfully
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6A206A04-6BC1-411B-AA04-4E52EDEEADF2} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{84481A87-2316-4923-8FAB-3BA8CA29323D} deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper deleted successfully
 
==== Empty IE Cache ======================
 
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
 
==== Empty FireFox Cache ======================
 
C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\ufqovs35.default\cache2 emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=60 folders=8 3491803 bytes)
 
==== Empty Temp Folders ======================
 
C:\Users\admin\AppData\Local\Temp will be emptied at reboot
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\Windows\Temp successfully emptied
C:\Users\admin\AppData\Local\Temp successfully emptied
 
==== Empty Recycle Bin ======================
 
C:\$RECYCLE.BIN successfully emptied
 
==== EOF on 01/11/2015 at 10:50:58.80 ======================
 

 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 01 November 2015 - 08:58 AM

Your link to the Zoek file doesn't work but I found it on your site and below is the logfile

This link is active for me now. It may have been temporary off line.

===

Have you tried this Windows 7 Activation.
http://helpdeskgeek.com/windows-7/check-if-windows-7-is-genuine/

If you get any error message please post the content on your next reply.

#7 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 01 November 2015 - 10:43 AM

Windows could not be validated as genuine

The validation service couldn't determine whether the copy of Windows that is running on your computer is genuine. Please try to validate Windows again. If you keep getting validation errors, try to again later or contact support.

This is the message I get Nasdaq

But I'm not sure that I want to validate if I'm still riddled with malware and then have to do a fresh install. I still cannot search the Net via any of my 3 Browsers, could you give me an update on my computers health then at least I can Validate and not risk it reverting back after a possible reinstall of Windows

 

Dave

 
 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 01 November 2015 - 02:04 PM

Let check some services.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

==

p.s.
If you connect you computer directly to the outside line bypassing the router can you get a connection?

#9 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 01 November 2015 - 05:02 PM

Hi Nasdaq

 

Not sure how to connect Computer direct to outside line as the connection is via a normal RJ11 telephone socket into my router then to my computer

I have internet connection OK and can surf the Web OK but all browsers will only access web pages through Favourite book marks and not through google search which is very frustrating and makes me think there must be a setting on the computer operating system which has changed which affects ALL 3 of my browsers, Chrome, Firefox & IE. Is My computer clean Nasdaq so that I can contact Microsoft and if it is clean can you point me to where I can sort out my search settings to get back to normal internet searches instead of having to use book marks

 

 

 

 

 

Farbar Service Scanner Version: 26-07-2015
Ran by admin (administrator) on 01-11-2015 at 21:45:36
Running from "C:\Users\admin\Desktop\Latest Malware Help"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is set to Disabled. The default start type is 3.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
 
 
System Restore Policy: 
========================
 
 
Action Center:
============
 
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
 
Action Center Notification Icon =====> Unable to open HKLM\...\ShellServiceObjects\{F56F6FDD-AA9D-4618-A949-C1B91AF43B1A} key. The key does not exist.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Disabled. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
 
 
File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
 
 
**** End of log ****


#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 02 November 2015 - 08:57 AM

Lets do some repairs.
Do not forget to create a restore point as suggeste.

Please Download Tweaking.com - Windows Repair from Here

  • Install and then run the program
  • Execute the instructions on Step 1 Important
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next
  • Click on Repairs
  • Click Repairs - Open Repairs in the bottom right corner
  • Click the Unselect All button then select just the item(s) listed below

  • 01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    06 - Repair Windows Firewall
    07 - Repair Internet Explorer
    08 - Repair MDAC/MS Jet
    10 - Remove Policies Set By Infections
    12 - Repair Icons
    14 - Removed Temp Files
    15 - Repair Proxy Settings
    17 - Repair Windows Updates
    21 - Repair MSI (Windows Installer)
    26 - Restore Important Windows Services
    27 - Set Windows Service to Default Startup
    
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)
  • Please copy and paste the Contents of this file on your next reply.

  • ===

    Restart the computer normally.

    How is the computer running now?

    =======================


#11 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 03 November 2015 - 05:48 AM

Hi Nasdaq

 

Computer seems to be much better and looks as if my Search Engines are working properly. See tweaking.com log below

 

 

Log:
Tweaking.com - Windows Repair v3.6.2
--------------------------------------------------------------------------------
 
System Variables
--------------------------------------------------------------------------------
OS: Windows 7 Ultimate
OS Architecture: 64-bit
OS Version: 6.1.7601
OS Service Pack: Service Pack 1
Computer Name: DAVE
Windows Drive: C:\
Windows Path: C:\Windows
Program Files: C:\Program Files
Program Files (x86): C:\Program Files (x86)
Current Profile: C:\Users\admin
Current Profile SID: S-1-5-21-934390965-3278854713-3396523229-1000
Current Profile Classes: S-1-5-21-934390965-3278854713-3396523229-1000_Classes
Profiles Location: C:\Users
Profiles Location 2: C:\Windows\ServiceProfiles
Local Settings AppData: C:\Users\admin\AppData\Local
--------------------------------------------------------------------------------
 
System Information
--------------------------------------------------------------------------------
System Up Time: 0 Days 00:11:29
 
Process Count: 116
Commit Total: 4.58 GB
Commit Limit: 8.10 GB
Commit Peak: 4.68 GB
Handle Count: 34956
Kernel Total: 1.60 GB
Kernel Paged: 436.33 MB
Kernel Non Paged: 1.18 GB
System Cache: 3.39 GB
Thread Count: 1623
--------------------------------------------------------------------------------
 
Memory Before Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 7.91 GB
Memory Used: 4.54 GB(57.4051%)
Memory Avail.: 3.37 GB
--------------------------------------------------------------------------------
 
Cleaning Memory Before Starting Repairs...
 
Memory After Cleaning with CleanMem
--------------------------------------------------------------------------------
Memory Total: 7.91 GB
Memory Used: 3.42 GB(43.2573%)
Memory Avail.: 4.49 GB
--------------------------------------------------------------------------------
 
Starting Repairs...
   Started at (03/11/2015 10:11:08)
 
Setting Any Missing 'InstallDate' From Uninstall Sections Before Running Repair...
Total Missing 'InstallDate' Fixed: 80
 
01 - Reset Registry Permissions
   Restore Windows 7/8/10 Default Registry Permissions
   Start (03/11/2015 10:11:12)
 
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\hku.7z
Done,  0.22 seconds.
 
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\hklm.7z
Done,  1.3 seconds.
 
   Running Repair Under System Account
   Done (03/11/2015 10:15:39)
 
03 - Reset Service Permissions
   Start (03/11/2015 10:15:39)
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:16:29)
 
04 - Register System Files
   Start (03/11/2015 10:16:29)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:21:23)
 
05 - Repair WMI
   Start (03/11/2015 10:21:23)
 
   Starting Security Center So We Can Export The Security Info.
 
   Exporting Antivirus Info...
   avast! Antivirus Exported.
 
   Exporting AntiSpyware Info...
   Windows Defender Exported.
   avast! Antivirus Exported.
 
   Exporting 3rd Party Firewall Info...
   No Firewall Products Reported.
 
   Running Repair Under Current User Account
   Done (03/11/2015 10:23:46)
 
06 - Repair Windows Firewall
   Start (03/11/2015 10:23:46)
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\services.7z
Done,  0.16 seconds.
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:24:28)
 
07 - Repair Internet Explorer
   Start (03/11/2015 10:24:28)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:27:09)
 
08 - Repair MDAC/MS Jet
   Start (03/11/2015 10:27:09)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:28:07)
 
10 - Remove Policies Set By Infections
   Start (03/11/2015 10:28:07)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:28:14)
 
12 - Repair Icons
   Start (03/11/2015 10:28:14)
   Running Repair Under Current User Account
   Done (03/11/2015 10:28:16)
 
14 - Remove Temp Files
   Start (03/11/2015 10:28:16)
   Running Repair Under System Account
   Done (03/11/2015 10:28:18)
 
15 - Repair Proxy Settings
   Start (03/11/2015 10:28:18)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:28:20)
 
17 - Repair Windows Updates
   Start (03/11/2015 10:28:20)
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\services.7z
Done,  0.17 seconds.
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Setting Windows Updates Files That Are In Use To Be Removed At Next Boot.
   Done (03/11/2015 10:29:21)
 
21 - Repair MSI (Windows Installer)
   Start (03/11/2015 10:29:21)
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\services.7z
Done,  0.17 seconds.
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:29:36)
 
26 - Restore Important Windows Services
   Start (03/11/2015 10:29:36)
 
Decompressing & Updating Windows Permission File C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\files\permissions\7\services.7z
Done,  0.15 seconds.
 
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:29:58)
 
27 - Set Windows Services To Default Startup
   Start (03/11/2015 10:29:58)
   Running Repair Under Current User Account
   Running Repair Under System Account
   Done (03/11/2015 10:30:09)
 
Cleaning up empty logs...
 
All Selected Repairs Done.
   Done at (03/11/2015 10:30:09)
   Total Repair Time: 00:19:03
 
 
...YOU MUST RESTART YOUR SYSTEM...


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 03 November 2015 - 09:14 AM

Glad we could help.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/
===

#13 Dave Clark

Dave Clark
  • Topic Starter

  • Members
  • 215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tenerife
  • Local time:02:27 PM

Posted 03 November 2015 - 09:34 AM

Many Thanks Nasdaq,

 

Best wishes

 

Dave



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,576 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 AM

Posted 04 November 2015 - 09:25 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users