Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware - Do not know what


  • This topic is locked This topic is locked
15 replies to this topic

#1 coachoflife

coachoflife

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 April 2016 - 03:20 AM

I have a malware that stops me from visiting webpages, stops me watching videos, goes to factory settings whatever I try to do eg restore point, changes from time to time what I can access and controls what e-mails I get and when they arrive (sometimes months).  I get a lot of messages when trying to access things on my computer needing passwords telling me it is the wrong password when it is not and when trying to play computer games it stops working after a few days with a variety of problems from access denied to disc not recognised.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 22 April 2016 - 08:04 PM


Hi coachoflife,

Welcome to BleepingComputer. My name is dbrisendine and I'll be helping you with this problem. Before I get into the removal of malware / correction of your problem, I need you to be aware of the following:

  • Please read all of my response through at least once before attempting to follow the procedures described.I would recommend printing them out, if you can, as you can check off each step as you complete it. Also, as some of the cleaning may be done in Safe Mode and there will be no internet connection then, you will find that having the steps printed for reference speeds the cleaning process along. If there's anything you don't understand or isn't totally clear to you, please come back to me for clarification before you start those steps.
  • All of the assistants and staff at BleepingComputer are here on a volunteer basis; please respect our time given to the cause of helping others.If you are going to be away for more than 4 days, please let me know here. (I will do the same for you.) We do realize that 'life happens' and situations arise unexpectedly; we just ask that you keep us up to date.
  • Malware removal is a complex, multiple step process; please stay with me on this thread (don't start another thread) until I declare that your logs are clean and you are good to go. The absence of apparent issues does not mean your system is clean; I will tell you when everything looks good for you to go and help you remove the tools we have used.
  • If any of the security programs on your system should give any warnings about the software tools I ask you to download and use, please do not be alarmed.All of the tools I will have you use are safe to use (as instructed) and malware free.
  • While we strive to disrupt your system as little as possible, things happen.If you can, it would be best to back up your personal files now (if you do not already have a backup). You can store these on a CD/DVD, USB drive or stick, anywhere but on your same system. This will save you from possible anguish later if something unforeseen happens.
  • Please do not run any other tools or scanners than what I ask you to.Some of the openly available software made for malware removal can make changes to your system that interfere with the cleaning of the malware, or even destroy your system. I will use only what the situation calls for and direct you in the proper use of that software.
  • Please do not attach any log files to your replies unless I specifically ask you.Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.


    - Save ALL Tools to your Desktop-

    All the tools that I will have you download should be placed on the desktop unless otherwise stated. If you are familiar with how to save files to the desktop then you can skip this step.

    Since you are continuing with this step then I assume you are unfamiliar with saving files to your desktop. As a result it's easiest if you configure your browser(s) to download any tools to the desktop by default. Please use the appropriate instructions below depending on the browser you are using.
    Chrome.JPGGoogle Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.Settings.JPG Choose Settings. at the bottom of the screen click the
    "Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.
    Firefox.JPGMozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Settings.JPG Choose Options. In the downloads section, click the Browse button, click on the Desktop folder
    and the click the "Select Folder" button. Click OK to get out of the Options menu.
    IE.jpgInternet Explorer - Click the Tools menu in the upper right-corner of the browser. Tools.JPG Select View downloads. Select the Options link in the lower left of the window. Click Browse and
    select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.
    NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.
     

Let's get started....

FIRST >>>>

Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

AVG 2016
FMW 1
Nielsen



To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.


SECOND >>>>

It seems that AVG and Microsoft Security Essentials are installed on this system. Even with AVG "not active" it is still loading drivers and interfering with MSE doing a proper job.

Please go to this site (http://www.avg.com/ca-en/utilities) and download AVG_remover.exe to your desktop. Close your browsers and double click on the file to run this utility. Follow the prompts to fully remove all of AVG from your system.

Please make sure you save any license or key information for AVG before running the utility as these will be deleted and you will have to re-enter the information if you want to install AVG again.


LAST >>>>

Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt



Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [NielsenOnline] => C:\Program Files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe [116088 2015-09-03] (The Nielsen Company)
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\...\MountPoints2: {517ed247-c8e5-11e5-bb88-806e6f6e6963} - D:\Setup.now.exe
C:\Program Files (x86)\NetRatingsNetSight
Hosts:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/webhp?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-3085716148-2522160780-3452964391-1000 -> DefaultScope {B393F0DD-23F7-433A-8785-EFCA61BEA103} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-3085716148-2522160780-3452964391-1000 -> {B393F0DD-23F7-433A-8785-EFCA61BEA103} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
CHR Extension: (Google Drive) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-17]
CHR Extension: (Nielsen NetSight) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpgmmbefnahabhcchpfkobeindpppflc [2016-04-21]
CHR Extension: (Google Search) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-17]
CHR HKLM-x32\...\Chrome\Extension: [bpgmmbefnahabhcchpfkobeindpppflc] - hxxps://clients2.google.com/service/update2/crx
S3 AvgAMPS; "C:\Program Files (x86)\AVG\Av\avgamps.exe" [X]
S2 AVGIDSAgent; "C:\Program Files (x86)\AVG\Av\avgidsagent.exe" [X]
S2 avgwd; "C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe" [X]
C:\Program Files (x86)\AVG\Av\avgamps.exe
C:\Program Files (x86)\AVG\Av\avgidsagent.exe
C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
C:\Users\x\AppData\Local\Temp\dllnt_dump.dll
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end


NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait.

Press%20the%20FIX%20button_zpsdd5zi3mt.p

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#3 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 22 April 2016 - 11:21 PM

Hi,  The last thing you asked for will not work as both files have to be in the same location and despite looking for answers online I have no idea how to accomplish it.  I followed all the steps and pressed fix but got a message saying both files have to be in the same folder/directory.



#4 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 23 April 2016 - 02:43 AM

I should have added that you need to move FRST64.exe from the C:\Users\x\Downloads directory to your desktop.  (Don't worry; we will clean the tools off your system when we are finished with them!)

 

To move the file ==>>

 

Open Explorer and go to the C:\Users\x\Downloads folder.

Right click on the FRST64.exe file and select CUT.

Go to your desktop and right click on a blank spot on the desktop.

Select Paste.

 

Both files (FRST64.exe and Fixlist.txt) should be on the desktop now.  You can run the Fixlist.txt script now.


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#5 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 23 April 2016 - 05:28 AM

Fix result of Farbar Recovery Scan Tool (x64) Version:18-04-2016
Ran by x (2016-04-23 11:09:27) Run:1
Running from C:\Users\x\Desktop
Loaded Profiles: x & UpdatusUser (Available Profiles: x & UpdatusUser)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
CreateRestorePoint:
CloseProcesses:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [NielsenOnline] => C:\Program Files (x86)\NetRatingsNetSight\NetSight\NielsenOnline.exe [116088 2015-09-03] (The Nielsen Company)
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\...\MountPoints2: {517ed247-c8e5-11e5-bb88-806e6f6e6963} - D:\Setup.now.exe
C:\Program Files (x86)\NetRatingsNetSight
Hosts:
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Local Page =
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.co.uk/webhp?gws_rd=ssl
SearchScopes: HKU\S-1-5-21-3085716148-2522160780-3452964391-1000 -> DefaultScope {B393F0DD-23F7-433A-8785-EFCA61BEA103} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
SearchScopes: HKU\S-1-5-21-3085716148-2522160780-3452964391-1000 -> {B393F0DD-23F7-433A-8785-EFCA61BEA103} URL = hxxps://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:{language}:{referrer:source}&ie={inputEncoding?}&oe={outputEncoding?}
CHR Extension: (Google Drive) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-02-17]
CHR Extension: (Nielsen NetSight) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpgmmbefnahabhcchpfkobeindpppflc [2016-04-21]
CHR Extension: (Google Search) - C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-02-17]
CHR HKLM-x32\...\Chrome\Extension: [bpgmmbefnahabhcchpfkobeindpppflc] - hxxps://clients2.google.com/service/update2/crx
S3 AvgAMPS; "C:\Program Files (x86)\AVG\Av\avgamps.exe" [X]
S2 AVGIDSAgent; "C:\Program Files (x86)\AVG\Av\avgidsagent.exe" [X]
S2 avgwd; "C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe" [X]
C:\Program Files (x86)\AVG\Av\avgamps.exe
C:\Program Files (x86)\AVG\Av\avgidsagent.exe
C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe
C:\Users\x\AppData\Local\Temp\dllnt_dump.dll
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end
 
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\NielsenOnline => value not found.
"HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{517ed247-c8e5-11e5-bb88-806e6f6e6963}" => key removed successfully
HKCR\CLSID\{517ed247-c8e5-11e5-bb88-806e6f6e6963} => key not found. 
"C:\Program Files (x86)\NetRatingsNetSight" => not found.
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Local Page => value restored successfully
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B393F0DD-23F7-433A-8785-EFCA61BEA103}" => key removed successfully
HKCR\CLSID\{B393F0DD-23F7-433A-8785-EFCA61BEA103} => key not found. 
C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf => moved successfully
C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\bpgmmbefnahabhcchpfkobeindpppflc => not found
C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf => moved successfully
HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\bpgmmbefnahabhcchpfkobeindpppflc => key not found. 
AvgAMPS => service not found.
AVGIDSAgent => service not found.
avgwd => service not found.
"C:\Program Files (x86)\AVG\Av\avgamps.exe" => not found.
"C:\Program Files (x86)\AVG\Av\avgidsagent.exe" => not found.
"C:\Program Files (x86)\AVG\Av\avgwdsvcx.exe" => not found.
C:\Users\x\AppData\Local\Temp\dllnt_dump.dll => moved successfully
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========  netsh advfirewall reset =========
 
Ok.
 
 
========= End of CMD: =========
 
 
=========  netsh advfirewall set allprofiles state on =========
 
Ok.
 
 
========= End of CMD: =========
 
 
========= Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {2192C720-A35D-482E-9983-9F7F01B42EDF}.
0 out of 1 jobs canceled.
 
========= End of CMD: =========
 
 
========= RemoveProxy: =========
 
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-3085716148-2522160780-3452964391-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
 
 
========= End of RemoveProxy: =========
 
EmptyTemp: => 1 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 11:10:26 ====


#6 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 23 April 2016 - 10:58 AM

Looks good so far!  Good job!  How is the system running?
 

FIRST >>>>

Junkware Removal Tool
Please download JRT from here to your desktop.

Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.

Double click the JRT.exe file to run the application.

The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed).

When it is asked, press any key to allow the program to continue / run.

This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post.

Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.


SECOND >>>>

AdwCleaner by Xplode

Download AdwCleaner from here or from here. Save the file to the desktop.

NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete.

Close all open windows and browsers.

Vista/7/8 users: Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner.
You will see the following console:
AdwCleaner_v5016_zpsf8ln0fea.png

Click the Scan button and wait for the scan to finish.

After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.

Click the Clean button.

Everything checked will be deleted.

When the program has finished cleaning a report appears.

Once done it will ask to reboot, allow this
adwcleaner_delete_restart.jpg

On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[C#].txt


Optional:
NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.


LAST >>>>

Malwarebytes' Anti-Malware

Please download the latest version of Malwarebytes' Anti-Malware from here .

Double Click on the mbam-setup.exe file to install the application.

Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once the program has loaded and updated, select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

If any malware is found, make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
The report screen will open.
At the bottom click on Export and select as txt file, save the file to your desktop and click OK. When the export is complete, select OPEN.
The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#7 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 23 April 2016 - 07:24 PM

Thanks for your help.  Does bleepingcomputer have a gofundme account as I gave some money about 5 weeks ago and not sure if it was real?.  Still having problems with webpages fully loading as they are slow, problems with passwords on websites I use and getting no e-mails sent to my e-mail box from these sites requesting forgotten password.  I get my icons turn white and then slowly turn to what they should be (do not know if this matters but every time I have had this problem the icons turn white).

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.5 (04.20.2016)
Operating System: Windows 7 Professional x64 
Ran by x (Administrator) on 24/04/2016 at  0:33:02.06
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 24/04/2016
Scan Time: 00:58
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.04.23.07
Rootkit Database: v2016.04.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: x
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390224
Time Elapsed: 14 min, 13 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 
 
File System: 1 
 
Successfully deleted: C:\Program Files (x86)\Common Files\avg secure search\vtoolbarupdater (Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 24/04/2016 at  0:35:08.14
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
# AdwCleaner v5.036 - Logfile created 24/02/2016 at 13:34:29
# Updated 22/02/2016 by Xplode
# Database : 2016-02-22.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : x - X-PC
# Running from : C:\Users\x\Downloads\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
 
***** [ Files ] *****
 
[-] File Deleted : C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
[-] File Deleted : C:\Users\x\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys removed
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [1391 bytes] - [24/02/2016 13:34:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [1415 bytes] - [24/02/2016 13:16:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1537 bytes] ##########
# AdwCleaner v5.112 - Logfile created 24/04/2016 at 00:46:20
# Updated 17/04/2016 by Xplode
# Database : 2016-04-19.5 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (X64)
# Username : x - X-PC
# Running from : C:\Users\x\Desktop\AdwCleaner.exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Folders ] *****
 
[-] Folder Deleted : C:\Program Files (x86)\avg web tuneup
[-] Folder Deleted : C:\Program Files (x86)\Common Files\AVG Secure Search
[-] Folder Deleted : C:\Program Files\Common Files\AVG Secure Search
[-] Folder Deleted : C:\ProgramData\avg web tuneup
[#] Folder Deleted : C:\ProgramData\Application Data\avg web tuneup
[-] Folder Deleted : C:\Users\x\AppData\Local\avg web tuneup
 
***** [ Files ] *****
 
 
***** [ DLLs ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Scheduled tasks ] *****
 
 
***** [ Registry ] *****
 
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cloudfront.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\d16fk4ms6rqz1v.cloudfront.net
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com
 
***** [ Web browsers ] *****
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [3342 bytes] - [24/02/2016 14:34:29]
C:\AdwCleaner\AdwCleaner[S1].txt - [3205 bytes] - [24/02/2016 14:16:26]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [3488 bytes] ##########
 


#8 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 25 April 2016 - 09:53 PM

Let's make sure there are no malware traces let and then we will tackle the system / browser errors ....

 


Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from here .

Double Click on the mbam-setup.exe file to install the application.

Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
Main%20Screen_zpsnnwza0ky.png

Once updated, please select Settings > Detection and Protection. Please ensure that "Scan for Rootkits" is selected along with Non-Malware Protection PUP and PUM are set to "Treat detections as malware"
Detection%20Settings_zpsaviydqil.png

Once the settings have been configured, select the Dashboard tab to return to the Main screen and select "Scan Now >>" to start the scan.
Main%20Screen_zpsnnwza0ky.png

The scan may take some time to finish, so please be patient.
mbam21-scaninprogress_zps38w26yvt.jpg

If any malware is found, you will be presented with a screen like the one below.
mbam21-removeselected_zpsg83p7wis.jpg

Please make sure that everything is checked, and click Remove Selected.
When the scan is complete, click View detailed log >> to view the results.
386d1e7f-0e85-4425-b4dc-fa8ad24a4855_zps

The report screen will open.
a50e2fb7-0c07-4ff6-917c-19e7329dab8a_zps

At the bottom click on Export and select as txt file, save the file to your desktop and click OK.  When the export is complete, select OPEN.
ExportSaved_zpsac3a71eb.png

The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.
 


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#9 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 26 April 2016 - 03:08 AM

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 24/04/2016
Scan Time: 00:58
Logfile: mbam.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.04.23.07
Rootkit Database: v2016.04.17.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: x
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 390224
Time Elapsed: 14 min, 13 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


#10 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 26 April 2016 - 11:33 PM

Please download "Windows Repair - All in One" from here.  Please choose "Save file.." if you get options to open the file.   Once the download is complete, run the file and install the program on your system.  Please use the default settings for locations as it will help with log retrieval and fixing the registry should anything be needed.

Right click on the desktop shortcut for "Tweaking.com - Windows Repair" and select 'Run as administrator'.

The program will run a self check to make sure that all the correct files are in place for it to run and then it will load the program.  As you can see, there are many steps to take in using this program.  Mainly, the first few steps involve checking for proper Windows files and backing up the system as a precaution.


Step1_zpswsvkpwps.png

 
You can read the notes on the first screen but the important thing to do is click on "ReBoot to Safe Mode" and allow the system to restart itself.  Once the system is started in safe mode and you have logged in (using an administrative level account), restart the program and move onto the Step2 screen.
 
Step2_PreScan_Check_zpsz4jtz5na.png


Please click on "Open Pre-Scan" to load a utility to verify some Windows resource / build files and settings.

Step2_PreScan_Start_zpsqsnaduax.png

 
Click on "Start Scan" and allow the routine to run.  You can see the status of the checks in the window.
 
Step2_PreScan_Finish_zpscticsthm.png

 
When the routine is finished, it will report on any problems found and you can click on the appropriate repair button if needed.  Once this is done, you can close this window and click on Step3.
 
Step3_CheckDisk_zpsn3dmzb3p.png

 
Click on the "Check" to see if a repair disk check routine needs to run.  A Command Prompt window will open and you can view the status of the routine.  If the routine finds that repairs need to be made, please select "Open Disk Check at Next Boot" and then click on the "Reboot To Safe Mode" button.  Once the routine(s) completes, please select Step4.
 
Step4_SFCscan_zpsrgf8dxrt.png

 
Please click on "Do It" to run a SFC /scannow routine.  If the routine makes any repairs, please reboot your system (again into Safe Mode).  If the routine does not make any repairs, please move onto Step5.
 
Step5_Backup_zpsu1i9cqxu.png

 
Once there, click on "Backup" under the 1. Registry Backup.  This will make a complete backup of the current registry which can be reloaded should anything go wrong with the repairs that are going to be made.  Next, click on the "Create" under 2. System Restore.  Once both of these backups are made, select Repairs.
 
Step6_Repairs_Tips_zpspmp4g2yh.png


I would suggest that you read the Tips For The Best Repairs Results.  Once this is done, click on "Open Repairs".

Step6_Repairs_Start_zpsoiow1cxf.png


On this screen, click the following: Defaults.  The screen and options should look very much like the picture above.  Click "Start Repairs" and confirm that the program starts running the fixes.  This will take a while to run, so you can let it run unattended if you like.  Log files are being recorded as the repairs are being executed.  Once the repairs are finished, reboot your system (normal boot now) and tell me how it is running now.

Edited by dbrisendine, 26 April 2016 - 11:34 PM.

unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#11 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 27 April 2016 - 07:15 AM

Things are much better but still having problems sending and receiving e-mails.



#12 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 27 April 2016 - 09:45 PM

Is this Google Email?

 

If so, have you run through the trouble shooter here?


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#13 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 28 April 2016 - 12:43 AM

I have a previous account which is not Google and get some sent through there to my new account.  E-mails go missing for months and I cannot login to accounts of things I pay a subscription for and when trying to get an e-mail sent for lost password I get nothing at all.



#14 dbrisendine

dbrisendine

  • Malware Response Team
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:BC, Canada
  • Local time:10:28 AM

Posted 28 April 2016 - 10:34 PM

You will most likely have to go to the previous account providers and work with them on the "pass-through / forwarding" issue.  The only other way to correct that is to go to each web site that still uses the previous email and update your account their via Customer Support (since the automated replying service will be using the old email).  Understand your problem and know that is a PITA; I also lost some log-in / account access due to changing emails once and not updating my information "in a timely manner".


unite_blue_zpsba2e96f7.png
 
Please do not ask for Malware help via PM (Private Messages).  Please post in the forum boards instead.  Thanks.

My help is always free but if you would like to help encourage me or show your thanks -----> btn_donate_LG.gif


#15 coachoflife

coachoflife
  • Topic Starter

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Local time:06:28 PM

Posted 29 April 2016 - 01:03 AM

That seems to be everything.  Computer is so much better. Thank you very much for your time in helping me.

 

Kind Regards

 

John Barr






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users