Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unable to remove pop-ups using Adware Cleaner


  • This topic is locked This topic is locked
28 replies to this topic

#1 fred04

fred04

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 11 January 2016 - 10:41 PM

Infection keeps popping up when using Adware Cleaner. Scanned many times but could not fix. Do not know how to remove it.

Shows as (X64) (X86) HKEY_USERS_USERS\S-1-5-21-4288707207-2946705599-643578616-1001.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 13 January 2016 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===


Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-4288707207-2946705599-643578616-1001\...\Winlogon: [Shell] C:\WINDOWS\EXPLORER.EXE [2501368 2016-01-03] (Microsoft Corporation) <==== ATTENTION
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  No File
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  No File
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
S3 mfeaack01; \Device\mfeaack01.sys [X]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

Please post the log and let me know what problem persists.

#3 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 13 January 2016 - 11:52 PM

The computer freezes when running the FRST to fix. I had to unplug the computer and remove the battery to shut down the computer. I did a second run to see if it would work but it froze again. I ran adware cleaner and rogue killer to see if the registry is clean but the infections are still there. What I have noticed with running adware cleaner on my laptop is that I am able to scan to check for infections but when I select to clean, the laptop freezes during the clean process and I have to unplug the cord and remove the battery to shut down the computer. This has been going on since the last week. I am not sure why the Farber Scan Tool is responding in the same way. This is what I got from the FRST run from the Fixlog.txt. Not sure if it is complete.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:10-01-2015 01
Ran by Mark (2016-01-13 23:07:10) Run:2
Running from C:\Users\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKU\S-1-5-21-4288707207-2946705599-643578616-1001\...\Winlogon: [Shell] C:\WINDOWS\EXPLORER.EXE [2501368 2016-01-03] (Microsoft Corporation) <==== ATTENTION
ShellIconOverlayIdentifiers: [  OverlayExcluded] -> {4433A54A-1AC8-432F-90FC-85F045CF383C} =>  No File
ShellIconOverlayIdentifiers: [  OverlayPending] -> {F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225} =>  No File
ShellIconOverlayIdentifiers: [  OverlayProtected] -> {476D0EA3-80F9-48B5-B70B-05E677C9C148} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No
File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
S3 mfeaack01; \Device\mfeaack01.sys [X]

End

*****************

Restore point was successfully created.
Processes closed successfully.



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 14 January 2016 - 09:52 AM

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or Windows 7, right-click and select "Run as Administrator to start"
  • For Windows XP, double-click to start.
  • Wait until Prescan has finished ...
  • When instructed Click on "Scan" button
  • Wait until the Status box shows "Scan Finished"
  • Click on "Report"
  • Click on Export TXT button save the file as RogueReport.txt
  • The file RogueReport.txt will be saved in the desktop.
  • Close the program.
  • Open the file with Notepad and Copy/paste the content into your next reply.
<<<>>>

p.s.

If this entry is listed delete it.
Winlogon: [Shell] C:\WINDOWS\EXPLORER.EXE

Post the log for my review.

#5 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 14 January 2016 - 11:32 AM

I downloaded RogueKiller and saved to the desktop. I right-clicked and ran as administrator to start; however the Prescan did not work as this function has not worked for some time. I scanned the Processes tab and exported the results to the desktop.

 

RogueKiller V11.0.7.0 [Jan 11 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8.1 (6.3.9600) 64 bits version
Started in : Normal mode
User : Mark [Administrator]
Started from : C:\Users\Mark\Desktop\RogueKiller.exe
Mode : Scan -- Date : 01/14/2016 11:23:36

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 15 January 2016 - 08:27 AM

For your security I strongly suggest you update your Virus protection programs.

AV: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AV: McAfee Anti-Virus and Anti-Spyware (Enabled - Out of date) {DA9F8ED0-D0DE-39CC-F55A-51AB4CC1B556}
AS: Windows Defender (Enabled - Out of date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
AS: McAfee Anti-Virus and Anti-Spyware (Enabled - Out of date) {61FE6F34-F6E4-3642-CFEA-6AD93746FFEB}
FW: McAfee Firewall (Enabled) {E2A40FF5-9AB1-3894-DE05-F89EB212F22D}


How log has this prescan not working?

Is this computer connected to a server?

Peruse this Gooble search.
https://www.google.ca/search?q=Prescan+did+not+work&oq=Prescan+did+not+work&aqs=chrome..69i57&sourceid=chrome&es_sm=93&ie=UTF-8#q=Prescan+does+not+work+windows+8

Read this article and find out if you have the file in bold in the quated path. Go to %Security Server Path%\PCCSRV\Admin\Utility\ClientPackager and double-click ClnPack.exe
https://esupport.trendmicro.com/solution/en-us/1057737.aspx

#7 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 15 January 2016 - 10:23 AM

The McAfee Antivirus was already updated when I selected update. I honestly think that this McAfee Antivirus is useless. I was unable to update Windows Defender as the McAfee is already installed and would not allow me to do so.

 

The pre-scan has not worked in over a month and the server I have is the Microsoft SQL Server 2005 Compact Edition (ENU). I am not connected to multiple computers or any network of computers.

 

I searched the pre-scan problem on Google search with the link that was provided and downloaded MBAM Check 2.3.0.0 and ran a scan. The check results are in the attachment.

 

As for the ClnPack.exe. I followed the link and did not find any file in bold in the quated path. Not sure if I was doing this correctly as it was confusing trying to access this information. If you think that I would need to access ClnPack.exe again I would need you assistance in doing so.

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 15 January 2016 - 11:05 AM

I was unable to update Windows Defender as the McAfee is already installed and would not allow me to do so.


That is normal. You should never have 2 Virus protections working in real life.

To update Windows defender you will have to disable McAfee.

===

I searched the pre-scan problem on Google search with the link that was provided and downloaded MBAM Check 2.3.0.0 and ran a scan. The check results are in the attachment.

I'm n ot familiar with this tool and cannot evalutate the report.

Someone at Malwarebytes may be able to help you.

===

I do not also have a copy of the ClnPack.exe file on my personal computer.

What we can check if some of the important services are missing or disabled.

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.

#9 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 15 January 2016 - 01:55 PM

I disabled McAfee and tried to run Windows Defender but that still did not work. I uninstalled the McAfee Antivirus restarted the computer and was able to access Windows Defender, updated and ran a scan. Downloaded the FSS Scanner and scanned. The results are below.

 

 

Farbar Service Scanner Version: 03-01-2016
Ran by Mark (administrator) on 15-01-2016 at 13:43:20
Running from "C:\Users\Mark\Desktop"
Microsoft Windows 8.1  (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Attempt to access Google IP returned error. Google IP is unreachable
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============

Firewall Disabled Policy:
==================

System Restore:
============

System Restore Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuaueng.dll".

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 16 January 2016 - 09:14 AM

Looking good.

If you still have problem with the prescan not working.

I suggest you start a new topic in the Windows 8 forum.
Some one may be able to help you.

Windows 8 forum.
http://www.bleepingcomputer.com/forums/f/209/windows-8-and-windows-81/

===

I will keep this topic open for 6 days.
If you need to return please do.

#11 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 19 January 2016 - 08:29 AM

It seemed to work but after a day I ran Rogue Killer and Adware Cleaner and new infections showed up. Could not remove as it is stuck in the registry.

I did a System Restore to Factory specs, ran the cleaners again, but unfortunately the infections are still there stuck in the registry. Not sure what the next step should be.

 

As for the Pre-scan I have noticed that when the Rogue Killer program starts there is a dialog that says "Initialization". I take it that this is the pre-scan? It does not say Pre-Scan as it goes through it's self-test.



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 19 January 2016 - 10:11 AM

Can you please post the Roguekiller and the AdwCleaner logs for my review.

I would like to see what entries are not being removed.

#13 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 19 January 2016 - 10:50 AM

Here are the results of the RogueKiller and AdwCleaner logs. I also did the Junkware Removal Tool log as these infections keep repeating themselves.

 

 

RogueKiller V11.0.8.0 [Jan 19 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Mark [Administrator]
Started from : C:\Users\Mark\Desktop\RogueKiller.exe
Mode : Scan -- Date : 01/19/2016 10:29:06

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 10 ¤¤¤
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://toshiba13.msn.com  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main | Search Bar : Preserve  -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0x20]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA THNSNJ256GCSU +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 923648 | Size: 260 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 1456128 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1718272 | Size: 232289 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 477446144 | Size: 11070 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

# AdwCleaner v5.030 - Logfile created 19/01/2016 at 10:33:07
# Updated 17/01/2016 by Xplode
# Database : 2016-01-17.3 [Server]
# Operating system : Windows 8  (x64)
# Username : Mark - Mark
# Running from : C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C7R0Q7Z\AdwCleaner.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder Deleted : C:\Users\Mark\Favorites\StumbleUpon
[!] Folder Not Deleted : C:\Users\Mark\Favorites\StumbleUpon

***** [ Files ] *****

***** [ DLLs ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Data Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]
[-] Data Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[!] Data Not Restored : HKU\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main [Secondary Start Pages]
[!] Data Not Restored : HKU\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL]

***** [ Web browsers ] *****

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1689 bytes] ##########

 

 

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 8 x64
Ran by Mark (Administrator) on Tue 01/19/2016 at 10:40:12.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 4

Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C7R0Q7Z (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KAPZ5LQ (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AM04H76L (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWLI8YAR (Folder)

 

Registry: 0



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,246 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:02:31 PM

Posted 19 January 2016 - 11:16 AM

Please run the Roguekiller tool and fix/delete everything that you see.
Default settings will be restored.
===

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :reg
    HKU\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main /sub
  • [/b]
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===


Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CloseProcesses:

C:\Users\Mark\Favorites\StumbleUpon

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

How is it now?

#15 fred04

fred04
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:31 PM

Posted 19 January 2016 - 12:55 PM

Here are the results of the SystemLook txt and the fixlog txt.

 

RogueKiller and Adware Cleaner did not have any infections; however, the JRT still produces the same file infections not sure how to fix this problem.

RogueKiller, Adware Cleaner and the JRT txt are located below.

 

 

SystemLook 30.07.11 by jpshortstuff
Log created at 12:09 on 19/01/2016 by Mark
Administrator - Elevation successful

========== reg ==========

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main]
"Anchor Underline"="yes"
"Cache_Update_Frequency"="Once_Per_Session"
"Display Inline Images"="yes"
"Do404Search"=01 00 00 00  (REG_BINARY)
"Local Page"="C:\windows\system32\blank.htm"
"Save_Session_History_On_Exit"="no"
"Show_FullURL"="no"
"Show_StatusBar"="yes"
"Show_ToolBar"="yes"
"Show_URLinStatusBar"="yes"
"Show_URLToolBar"="yes"
"Use_DlgBox_Colors"="yes"
"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"
"XMLHTTP"= 0x0000000001 (1)
"NoUpdateCheck"= 0x0000000001 (1)
"Disable Script Debugger"="yes"
"DisableScriptDebuggerIE"="yes"
"Enable Browser Extensions"="yes"
"Play_Background_Sounds"="yes"
"Play_Animations"="yes"
"IconCache"="stnk1ho"
"Start Page Redirect Cache"="http://www.msn.com/?ocid=iehp"
"Start Page Redirect Cache AcceptLangs"="en-US"
"IE10RunOncePerInstallCompleted"= 0x0000000001 (1)
"IE10RunOnceCompletionTime"=2d be 95 91 cf 52 d1 01  (REG_BINARY)
"ApplicationTileImmersiveActivation"= 0x0000000001 (1)
"AssociationActivationMode"= 0x0000000000 (0)
"StatusBarWeb"= 0x0000000001 (1)
"SearchControlWidth"= 0x000000012c (300)
"ForceGDIPlus"= 0x0000000000 (0)
"AlwaysShowMenus"= 0x0000000000 (0)
"ShutdownWaitForOnUnload"= 0x0000000000 (0)
"DNSPreresolution"= 0x0000000008 (8)
"SpellChecking"= 0x0000000001 (1)
"LangToolsBroker"="{5bbd58bb-993e-4c17-8af6-3af8e908fca8}"
"DisablePasswordReveal"= 0x0000000000 (0)
"Check_Associations"="yes"
"DisableRequiresActiveXPrompt"=""
"GotoIntranetSiteForSingleWordEntry"= 0x0000000000 (0)
"AutoSearch"= 0x0000000001 (1)
"SuppressScriptDebuggerDialog"= 0x0000000000 (0)
"PredictedViewExpansion"= 0x0000000064 (100)
"PredictedViewChangeThreshold"= 0x000000000a (10)
"PredictedViewChangeThresholdPaint"= 0x0000000005 (5)
"ContentLayerCacheExpansion"= 0x000000012c (300)
"RenderingLoopMaxTime"= 0x00000000fa (250)
"NscSingleExpand"= 0x0000000000 (0)
"Error Dlg Displayed On Every Error"="no"
"EnableSearchPane"= 0x0000000000 (0)
"NotifyDownloadComplete"="yes"
"AllowWindowReuse"= 0x0000000001 (1)
"Friendly http errors"="yes"
"CSS_Compat"="doctype"
"Expand Alt Text"="no"
"Display Inline Videos"= 0x0000000001 (1)
"Print_Background"="no"
"Use Stylesheets"= 0x0000000001 (1)
"SmoothScroll"= 0x0000000001 (1)
"Show image placeholders"= 0x0000000000 (0)
"Disable Diagnostics Mode"="no"
"Move System Caret"="no"
"Enable AutoImageResize"="yes"
"UseThemes"= 0x0000000001 (1)
"UseHR"= 0x0000000000 (0)
"Q300829"= 0x0000000000 (0)
"Cleanup HTCs"= 0x0000000000 (0)
"XDomainRequest"= 0x0000000001 (1)
"DOMStorage"= 0x0000000001 (1)
"EnableAlternativeCodec"="yes"
"JScriptProfileCacheEventDelay"= 0x0000001388 (5000)
"CrossfadeMinTimeoutInMS"= 0x0000007530 (30000)
"CrossfadeMaxTimeoutInMS"= 0x0000007530 (30000)
"CrossfadeCurrentTimeoutInMS"= 0x0000007530 (30000)
"IE10RunOnceLastShown"= 0x0000000000 (0)
"IE10TourNoShow"= 0x0000000000 (0)
"IE10TourShown"= 0x0000000000 (0)
"IE10RecommendedSettingsNo"= 0x0000000000 (0)
"FrameTabWindow"= 0x0000000001 (1)
"AdminTabProcs"= 0x0000000001 (1)
"SessionMerging"= 0x0000000001 (1)
"FrameMerging"= 0x0000000001 (1)
"HangRecovery"= 0x0000000001 (1)
"Isolation"="PMIL"
"IsolationImmersive"="PMEM"
"TabShutdownDelay"= 0x000000ea60 (60000)
"FrameShutdownDelay"= 0x0000000000 (0)
"Search Bar"="http://search.msn.com/spbasic.htm"
"MinIEEnabled"= 0x0000000001 (1)
"FormSuggest PW Ask"="yes"
"RefcountTracker"= 0x0000000000 (0)
"TabDragOnSingleProc"= 0x0000000000 (0)
"Window Title"="Internet Explorer provided by TOSHIBA"
"Start Page"="http://go.microsoft.com/fwlink/p/?LinkId=255141"
"Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
"DisableFirstRunCustomize"= 0x0000000001 (1)
"OperationalData"=01 00 00 00 00 00 00 00  (REG_QWORD)
"Window_Placement"=2c 00 00 00 00 00 00 00 01 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 58 00 00 00 58 00 00 00 ad 03 00 00 b0 02 00 00  (REG_BINARY)
"FullScreen"="no"
"CompatibilityFlags"= 0x0000000000 (0)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl]
(No values found)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_MODE]
"iexplore.exe"= 0x0000000008 (8)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"iexplore.exe"= 0x0000000001 (1)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings]
"LOCALMACHINE_CD_UNLOCK"= 0x0000000000 (0)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\Touch]
"FlickEducatorInfo"= 0x0000000000 (0)
"GestureZoomMinimumIncrement"= 0x0000000001 (1)
"GestureTimerInterval"= 0x000000000f (15)

[HKEY_USERS\S-1-5-21-2802955340-1988312179-369960370-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch]
"Version"="6.2.9200.16420"
"User Favorites Path"="file:///C:\Users\Mark\Favorites\"
"UpgradeTime"=26 a2 1c d7 d7 52 d1 01  (REG_BINARY)
"ConfiguredScopes"= 0x0000000005 (5)
"LastCrawl"=f1 b7 12 ae 77 52 d1 01  (REG_BINARY)
"AutoCompleteGroups"= 0x0000000005 (5)
"Disabled"= 0x0000000000 (0)
"EnabledScopes"= 0x0000000005 (5)
"Cleared"= 0x0000000001 (1)
"Cleared_TIMESTAMP"=91 6e e8 fe c5 52 d1 01  (REG_BINARY)

[]

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:18-01-2016
Ran by Mark (2016-01-19 12:15:39) Run:1
Running from C:\Users\Mark\Desktop
Loaded Profiles: Mark (Available Profiles: Mark)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CloseProcesses:

C:\Users\Mark\Favorites\StumbleUpon

End
*****************

Processes closed successfully.
"C:\Users\Mark\Favorites\StumbleUpon" => not found.

The system needed a reboot.

 

 

RogueKiller V11.0.8.0 [Jan 19 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 8 (6.2.9200) 64 bits version
Started in : Normal mode
User : Mark [Administrator]
Started from : C:\Users\Mark\Desktop\RogueKiller.exe
Mode : Scan -- Date : 01/19/2016 12:33:30

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA THNSNJ256GCSU +++++
--- User ---
[MBR] a84dd93b5b19931ceaddbccc47850486
[BSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] Basic data partition | Offset (sectors): 923648 | Size: 260 MB
2 - [MAN-MOUNT] Basic data partition | Offset (sectors): 1456128 | Size: 128 MB
3 - Basic data partition | Offset (sectors): 1718272 | Size: 232289 MB
4 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 477446144 | Size: 11070 MB
User = LL1 ... OK
User = LL2 ... OK

 

 

# AdwCleaner v5.030 - Logfile created 19/01/2016 at 12:36:21
# Updated 17/01/2016 by Xplode
# Database : 2016-01-17.3 [Server]
# Operating system : Windows 8  (x64)
# Username : Mark - MARK
# Running from : C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C7R0Q7Z\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [619 bytes] ##########

 

 

Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.2 (01.06.2016)
Operating System: Windows 8 x64
Ran by Mark (Administrator) on Tue 01/19/2016 at 12:16:42.84
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

File System: 4

Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1C7R0Q7Z (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9KAPZ5LQ (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AM04H76L (Folder)
Successfully deleted: C:\Users\Mark\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UWLI8YAR (Folder)

 

Registry: 0






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users