Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Newbie here...RANSOMWARE


  • This topic is locked This topic is locked
21 replies to this topic

#1 Snowbird29

Snowbird29

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 17 December 2017 - 10:50 AM

Hello Guys,

 

Read the requirements but have no idea on the name of the virus.  I have a pop-up come up requesting I call Microsoft (1-844-xxx-xxxx) and relating that someone had been detected trying to access my credit card, bank account, etc. Is that enough to start?  I would really appreciate your help here.  Thank you.



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 17 December 2017 - 05:06 PM

Hello Snowbird29 and welcome to the Bleeping Computer forum.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please run these in the order given in the instructions.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Run RogueKiller

IMPORTANT: Please remove any usb or external drives from the computer before you run this scan!

Close all running programs.


Download RogueKiller to your desktop

  • close all running programs
  • for Windows Vista/Seven, right click -> run as administrator, for XP simply double-click on RogueKiller.exe
  • when the pre-scan is finished, click on Scan
  • click on Report and copy/paste the content in your next post
  • NOTE: DO NOT attempt to remove anything that the scan detects –everything that is reported is not necessarily bad

If the program is blocked, continue to try it several times. If it still doesn’t work, (it could happen), rename it to winlogon.exe.

Please post the contents of the RKreport.txt in your next reply.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

Logs to include with next post:

AdwCleaner log
RKreport.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 18 December 2017 - 10:53 PM

Hi Satchfan!

 

Thanks for your help.  I ran the programs as directed and have attached the files.  Let me know what I need to do next.

 

Thanks,

 

Steve

 

PS  Seems there were two adwcleaner logs so I have attached both.  Let me know if I messed something up. 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 19 December 2017 - 08:32 AM

Uninstall programs

Please uninstall these programs:

MapsGalaxy Internet Explorer Toolbar
Java, (any version present)


===================================================

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8//10: right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished press the Delete button and post the log it produces.

Please then run it again and send the new log

===================================================

Run Malwarebytes Anti-Malware

Please download and run the installer for Malwarebytes 3.0.

  • follow the prompts to install the program, (Malwarebytes 3.0 will automatically upgrade Malwarebytes Anti-Malware 2.x to Malwarebytes 3.0)
  • at the end, be sure a checkmark is placed next to the following
    • Launch Malwarebytes Anti-Malware
    • a 14 day trial of the Premium features is pre-selected: deselect this if you don’t want it, (it won’t diminish the scanning and removal capabilities of the program).
  • click Finish.
  • on the Dashboard, click Update Now
  • after the update completes, click the Scan Now' button.
  • if an update is available, clicking the Update Now button will update it
  • a Threat Scan will begin.
  • when the scan is complete, if malware has been detected, click Apply Actions to allow MBAM to clean what was found
  • when the prompt to restart the computer appears, click Yes.
  • after the restart once you are back at your desktop, open MBAM once more
  • click on the ‘History’ tab, the ‘Application Logs’
  • double-click on the scan log which shows the date and time of the scan just performed.
  • click Copy to Clipboard
  • please paste the contents of the clipboard into your reply.

Logs to include with the next post:

RogueKiller log
Mbam.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 19 December 2017 - 10:34 AM

Satchfan,

 

Thank you for your reply.  Quick question, how do I uninstall MapsGalaxy Internet Explorer Toolbar?  Could not find.  Again, I really appreciate your help.

 

Thanks,

 

Steve



#6 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 19 December 2017 - 04:10 PM

Let’s try forcing the uninstall

Download Revo Uninstaller

  • double click the installation file on the desktop to run the installer
  • let it install to the default location
  • double click the new Revo Uninstaller Icon on the desktop to start the program.

You will now see a list of installed programs that Revo Uninstaller can remove.

  • find, MapsGalaxy Internet Explorer Toolbar
  • right-click the icon then choose Uninstall
  • click Yes to the warning and choose the Uninstall Mode
  • choose the Advanced option and then click Next
  • this will launch the programs built in uninstaller, (be patient, it can take several seconds)
  • once the uninstaller is done click Next
  • Revo Uninstaller will now scan for leftover information, (again, be patient as it can take several seconds)
  • once this scan is done click Next
  • you will then be presented of the leftover entries found by Revo Uninstaller
  • look at ALL of the entries to ensure they relate to the uninstall
  • next, click Select All > Delete to remove the entries
  • click Next
  • if there are any program file folders left over you will be presented with a list to be removed
  • again look at ALL of the entries to ensure they are related to the uninstall
  • click Select All > Delete to remove the entries
  • click Finish to go back to the uninstall list
  • when you have removed it, close the program.

Please then follow the other instructions that were in the previous post.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 20 December 2017 - 10:35 AM

Hello!

 

Had an issue uninstalling Maps, when I selected it in Revo and it started uninstalling came back with error message (Run DLL): There was a problem starting C:\Program Files\MapsGalaxy_39\bar\ bin\39Bar.dll  The Program could not be found.  Please note the directory was empty according to Revo list.  Should I proceed?

 

Thanks,

 

Steve



#8 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 20 December 2017 - 10:38 AM

Might have misunderstood.  After closing error message Revo had the advanced scan option to clean up and I am running now.



#9 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 20 December 2017 - 10:42 AM

:thumbup2:


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 20 December 2017 - 10:45 AM

Finished with Maps and now using Revo to remove Java?



#11 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 20 December 2017 - 10:46 AM

Finished with Maps and now using Revo to remove Java?



#12 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 20 December 2017 - 10:53 AM

Yes, it's out-of-date and a security risk.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 21 December 2017 - 10:08 AM

Hello,

 

I really appreciate your help.  I started with Rogue Killer, ran the scan and removed the ones selected...Rogue directed to reboot which I did, (hope that was OK).  Reran the scan and it did not return any items selected for removal.  I have attached both scan reports here.  

 

Then ran Malwarebytes, quarantined the results as indicated and the clipboard copy of report is below.

 

Again, thanks for your help and let me know what is next!

 

Thanks,

 

Steve

 

 

Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 12/21/17
Scan Time: 4:38 AM
Log File: 25dd02ae-e63b-11e7-8d47-00266c5f9ba8.json
Administrator: Yes
-Software Information-
Version: 3.3.1.2183
Components Version: 1.0.262
Update Package Version: 1.0.3535
License: Premium
-System Information-
OS: Windows 10 (Build 16299.125)
CPU: x64
File System: NTFS
User: System
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 368306
Threats Detected: 40
Threats Quarantined: 40
Time Elapsed: 3 hr, 19 min, 54 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Warn
PUM: Detect
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 20
PUP.Optional.MindSpark, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MapsGalaxy_39, Quarantined, [237], [240604],1.0.3535
PUP.Optional.MindSpark, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\APPDATALOW\SOFTWARE\MapsGalaxy_39, Quarantined, [237], [240486],1.0.3535
PUP.Optional.W3i, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8F112D1E-1074-4946-A079-1655ADB44266}, Quarantined, [1999], [362630],1.0.3535
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{B0441A0E-A49A-4E16-AFC1-74ECCED1921F}, Quarantined, [485], [245523],1.0.3535
PUP.Optional.ASK, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{b0441a0e-a49a-4e16-afc1-74ecced1921f}, Quarantined, [485], [245523],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MapsGalaxy_39, Quarantined, [237], [240751],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{1241cebd-9777-4bc6-aae5-2a77e25db246}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\CLASSES\INTERFACE\{6818868A-1B3D-4E35-A561-FA964A96CD3B}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6818868a-1b3d-4e35-a561-fa964a96cd3b}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{79e57afa-bc05-4636-9457-fbc0abb3576b}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\CLASSES\INTERFACE\{9193E23B-4182-493F-A38E-682307A7C463}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9193e23b-4182-493f-a38e-682307a7c463}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{ae0f4663-eae3-437f-be60-9ec9b745dbfa}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{bf75b5a2-8403-4f70-88a6-488e3bea0d7b}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{e1f80eb5-8af4-410d-87c1-4f3e2776822a}, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{1E91A655-BB4B-4693-A05E-2EDEBC4C9D89}, Quarantined, [237], [168236],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{1E91A655-BB4B-4693-A05E-2EDEBC4C9D89}, Quarantined, [237], [168236],1.0.3535
PUP.Optional.MindSpark, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{1E91A655-BB4B-4693-A05E-2EDEBC4C9D89}, Quarantined, [237], [168236],1.0.3535
PUP.Optional.MindSpark, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{1E91A655-BB4B-4693-A05E-2EDEBC4C9D89}, Quarantined, [237], [168236],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{1e91a655-bb4b-4693-a05e-2edebc4c9d89}, Quarantined, [237], [168236],1.0.3535
Registry Value: 15
PUP.Optional.W3i, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{8F112D1E-1074-4946-A079-1655ADB44266}|URL, Quarantined, [1999], [362630],1.0.3535
PUP.Optional.ASK, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{b0441a0e-a49a-4e16-afc1-74ecced1921f}|DISPLAYNAME, Quarantined, [485], [245523],1.0.3535
PUP.Optional.ASK, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{b0441a0e-a49a-4e16-afc1-74ecced1921f}|URL, Quarantined, [485], [245522],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{1241cebd-9777-4bc6-aae5-2a77e25db246}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{6818868a-1b3d-4e35-a561-fa964a96cd3b}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{79e57afa-bc05-4636-9457-fbc0abb3576b}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{9193e23b-4182-493f-a38e-682307a7c463}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{ae0f4663-eae3-437f-be60-9ec9b745dbfa}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{bf75b5a2-8403-4f70-88a6-488e3bea0d7b}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.MindSpark.Generic, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{e1f80eb5-8af4-410d-87c1-4f3e2776822a}|APPPATH, Quarantined, [1394], [443670],1.0.3535
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{b0441a0e-a49a-4e16-afc1-74ecced1921f}|URL, Quarantined, [485], [245524],1.0.3535
PUP.Optional.ASK, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{b0441a0e-a49a-4e16-afc1-74ecced1921f}|DISPLAYNAME, Quarantined, [485], [245525],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MAPSGALAXY EPM SUPPORT, Quarantined, [237], [235093],1.0.3535
PUP.Optional.MindSpark, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|MAPSGALAXY SEARCH SCOPE MONITOR, Quarantined, [237], [235099],1.0.3535
PUP.Optional.MindSpark, HKU\S-1-5-21-444194413-4088642089-2275186041-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\URLSEARCHHOOKS|{26842a09-ffa8-4e2c-ae12-0c80f01c3295}, Quarantined, [237], [168243],1.0.3535
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 3
PUP.Optional.SweetPacks, C:\Users\steve\AppData\LocalLow\SweetPacks_A11\Logs, Quarantined, [983], [179959],1.0.3535
PUP.Optional.SweetPacks, C:\USERS\STEVE\APPDATA\LOCALLOW\SweetPacks_A11, Quarantined, [983], [179959],1.0.3535
PUP.Optional.Conduit.Generic, C:\USERS\STEVE\APPDATA\LOCAL\CRE, Quarantined, [8091], [443286],1.0.3535
File: 2
PUP.Optional.Conduit.Generic, C:\USERS\STEVE\APPDATA\LOCAL\CRE\bpfboklmeiefoedekjeigdcnfbpjeaii.crx, Quarantined, [8091], [443286],1.0.3535
PUP.Optional.Conduit.Generic, C:\Users\steve\AppData\Local\CRE\opfedmikikmahmpaimpfelmikhaigobp.crx, Quarantined, [8091], [443286],1.0.3535
Physical Sector: 0
(No malicious items detected)

(end)

 

Attached Files



#14 Snowbird29

Snowbird29
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 21 December 2017 - 10:12 AM

Satchfan,

 

Seems I may have had a problem with my internet connection while running Malwarebytes, can you see whether it was updated by the report?

 

Thanks...



#15 satchfan

satchfan

  • Malware Response Team
  • 2,659 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:05:10 AM

Posted 21 December 2017 - 11:19 AM

Malwarebytes updated fine.

Some entries were missed in the RogueKiller ‘fix’ so I’m afraid it will need to be done again.

Run RogueKiller

IMPORTANT: Do not reboot your computer if at all possible otherwise the malware will reactivate and you will have to run RogueKiller again

  • close all programs
  • double-click RogueKiller.exe - Windows 7/8/10 users right-click the program and select Run as Administrator'
  • after it has completed it's prescan, click on Scan
  • when the scan is finished make sure the following ‘Registry’ entries are checked:


    [PUP.Gen1] (X64) HKEY_CLASSES_ROOT\CLSID\{9517FB66-3DCF-44eb-8CE5-1A0F8A058D12} (C:\ProgramData\Partner\Partner64.dll) -> Found
    [PUP.Mindspark] (X86) HKEY_LOCAL_MACHINE\Software\MapsGalaxy_39 -> Found
    [PUP.Tific] (X86) HKEY_LOCAL_MACHINE\Software\Tific -> Found
    [PUP.Mindspark] (X64) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\MapsGalaxy_39 -> Found
    [PUP.Tific] (X64) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\Tific -> Found
    [PUP.Mindspark] (X86) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\MapsGalaxy_39 -> Found
    [PUP.Tific] (X86) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\Tific -> Found
    [PUP.Mindspark] (X64) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\AppDataLow\Software\MapsGalaxy_39 -> Found
    [PUP.Mindspark] (X86) HKEY_USERS\S-1-5-21-444194413-4088642089-2275186041-1000\Software\AppDataLow\Software\MapsGalaxy_39 -> Found
    [PUP.Gen0] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} -> Found

  • then press the Delete button and post the log it produces.

Please then run it again and send the new log.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users