|
Post by lindseyrachelle620 on Jul 17, 2015 10:17:26 GMT -8
I read the full post on beginning instructions:
(I want to start by apologizing for the lengthy detail, but I really thought it might be relevant/useful info)
Ok, I am currently on one of my co-workers computers. We have a very small office. So small we share a router/internet connection with another small office.
On Friday of last week, one of the computer (that acts as a server) in the other office came down with some form of ransom ware. It had files encrypted, and demanded $$, but it only encrypted files associated with their offices database.
When I found out what they were suffering from I immediately shut down all the computers in my office. On ours that acts like a server, Norton popped up a security warning, high risk intrusion threat that morning.
Once they had wiped everything clean on their end (or so I was told), I began restarting my computers. I ran a full Scan on Norton, followed by a malwarebytes.org scan.
They all came up clean (a few PUPs) except the computer that I am currently having issues with. This computer showed a medium risk Trojan threat on Norton.
wikisend.com/download/768152/FRST.txt
After we told Norton to fix the threat, etc. everything worked fine for the remainder of the day.
Today, this computer was not allowing access to theworknumber.com (which is supposedly a really secure site) I told her something may be wrong with Java (bc I had read something about updates being wrong). So she went to verify her java and had to remove version 7 and she downloaded version 8. The site still wasn't working, so she decided to check Flash, and found out that flash add on was not running on her computer. She installed it.
About 10 minutes following this she began getting error messages. One system care popped up, appearing to be some sort of security software stating that there are 1700+ threats, etc. then a toolbar popped up at the top of her desktop (no name shown). Norton then popped up and asked if we wanted to run Power Eraser. Then Norton said said action required, and showed 3 low risk threats SAPE.downloader.38db and SAPE.Pricepeep.1 (2 of those). I opened processes and did a end process of one system care. I attempted to open internet explorer to go to this site, and it began running really slow and then stopped working.
I RESTARTED IN SAFE MODE WITH NETWORKING TO RUN FRST / FRST 64
You guys helped me so much to save my computer when I was infected with cryptowall, thank you, please help again.
wikisend.com/download/772366/Addition.txt
wikisend.com/download/467554/FRST.txt
|
|
Krusty
Logging Assistant
In Oz
Posts: 2,330
|
Post by Krusty on Jul 19, 2015 17:14:34 GMT -8
Please wait patiently for the Malware Removalist to get to you.
Please avoid bumping your thread as this will push it further down the list.
Please avoid making any changes to this machine until after the Malware Removalist has finished with you.
Thanks.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jul 21, 2015 22:06:08 GMT -8
Sorry about the delay and I did reply to you at BleepingComputer. If you would rather get help there, I can release that topic and put it back in the open topic pool. FIRST >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): Boost Coupon Printer for Windows CouponAlert One System Care Web Bar 2.0.5675.22923To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. If the software balks at uninstalling, you can cancel the uninstall and move on. SECOND >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. Also, how is your system running now?
|
|
|
Post by lindseyrachelle620 on Jul 22, 2015 7:38:31 GMT -8
Ok, So every one of the programs you listed were uninstalled, there was one more that I had concern with, since it was at the same time : WebCompanion by Lavasoft. Is that one OK?
I ran the fix list and everything with the computer in safe mode with networking, which I had it in when I ran FRST initially. (It wouldn't let me do much otherwise)
Now I have it started in regular mode, and I am on IE, so I guess it is definitely working better than it was =)
Should I re-do any scans for you, now that I am out of safe mode?
and here is my fixlog:
Fix result of Farbar Recovery Scan Tool (x64) Version:20-07-2015 Ran by Ashley at 2015-07-22 10:16:54 Run:1 Running from C:\Users\Ashley\Desktop Loaded Profiles: Ashley (Available Profiles: Ashley) Boot Mode: Safe Mode (with Networking) ==============================================
fixlist content: ***************** Start CreateRestorePoint: CloseProcesses: HKLM-x32\...\Run: [] => [X] HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\...\Run: [Boost] => C:\Program Files (x86)\Boost\Boost.exe [445328 2015-06-17] (Boost Shopping) C:\Program Files (x86)\Boost HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\...\MountPoints2: F - F:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\...\MountPoints2: {3e74436b-fadf-11e3-b037-d4bed9b90511} - F:\VZW_Software_upgrade_assistant.exe HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\...\MountPoints2: {8c1e1486-266e-11e5-b01a-d4bed9b90511} - F:\win\setup.exe -phs Startup: C:\Users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk [2012-09-13] ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Ashley\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File) C:\Users\Ashley\AppData\Local\Facebook\Messenger\2.1.4814.0 BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre6\bin\jp2ssv.dll No File C:\Program Files\Java\jre6\bin\jp2ssv.dll BHO-x32: Boost -> {2299856A-6506-42E3-A34F-CD35A47C1B19} -> C:\Program Files (x86)\Boost\Boost.dll [2015-06-17] (Boost) C:\Program Files (x86)\Boost BHO-x32: Norton Vulnerability Protection -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton 360 Premier Edition\Engine\21.7.0.11\IPS\IPSBHO.DLL No File Toolbar: HKU\S-1-5-21-1936193561-4228598581-3577291573-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File FF NewTab: hxxp://www.bing.com/?pc=COSP&ptag=D071715-A880FF2AB0987464788F&form=CONMHP&conlogo=CT3332041 FF Plugin: @java.com/DTPlugin -> C:\Program Files\Java\jre6\bin\npDeployJava1.dll No File FF Plugin: @microsoft.com/GENUINE -> disabled No File FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File FF Extension: Boost - C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\qpmrnqu2.default\Extensions\boost@boost.net.xpi [2015-06-17] C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\qpmrnqu2.default\Extensions\boost@boost.net.xpi CHR Extension: (Angry Birds) - C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj [2012-08-08] C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj S2 CouponPrinterService; C:\Program Files (x86)\Coupons\CouponPrinterService.exe [176624 2014-02-13] (Coupons.com Inc.) C:\Program Files (x86)\Coupons S2 DYNbKI; C:\ProgramData\bgsLxaP\DYNbKI.exe [2732016 2015-07-17] (Rational Thought Solutions) S2 wbsvc; C:\Program Files\WebBar\wbsvc.exe [37144 2015-07-16] (Web Bar Media) C:\Program Files\WebBar S4 LMIRfsClientNP; No ImagePath Task: {52304EC5-A69F-409E-B688-E69B622E5B0D} - System32\Tasks\WebBarUpdateTask => C:\Program Files\WebBar\wbsvc.exe [2015-07-16] (Web Bar Media) <==== ATTENTION C:\Program Files\WebBar Task: {5AF26518-379C-4148-A739-4681842BCDBD} - System32\Tasks\WebBarLaunchTask => C:\Program Files\WebBar\wbsvc.exe [2015-07-16] (Web Bar Media) <==== ATTENTION Task: {A26153D9-05E3-46A5-857E-125AC0037EC2} - System32\Tasks\One System CarePeriod => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2015-05-12] () C:\Program Files (x86)\OneSystemCare Task: {AA75C21E-DECB-4125-A5E5-4F42B76A64F2} - System32\Tasks\Frodaomiwin => C:\ProgramData\Frodaomiwin\1.0.4.1\esosseri.exe C:\ProgramData\Frodaomiwin Task: {C958C628-C5C5-4F03-8D6D-C24CA8E5F4F8} - System32\Tasks\One System Care Monitor => C:\Program Files (x86)\OneSystemCare\CleanupConsole.exe [2015-05-12] () C:\Program Files (x86)\OneSystemCare Task: {EFC480FC-C3C4-420E-996B-4055FA0E89E8} - System32\Tasks\One System Care Run Delay => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2015-05-12] () Task: {F5B4DE63-333F-463B-BFF8-57417DF1DADE} - System32\Tasks\One System CareStartUp => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe [2015-05-12] () Task: C:\Windows\Tasks\One System CarePeriod.job => 0x0106010059205664F01CAF4FA93226E21B30E5DA4600E40000000000A0050500200000000014730F000000000513040010200421000000000000000000000000000000000000370043003A005C00500072006F006700720061006D002000460069006C00650073002000280078003800360029005C004F006E006500530079007300740065006D0043006100720065005C004F006E006500530079007300740065006D0043006100720065002E00650078006500000006002D007300630061006E000000000007004100730068006C0065007900000000000000080003130400000000000100300000006C07010001000000000000000B000000B4000000000000000000000001000000010000000000000000000000 Task: C:\Windows\Tasks\One System CareStartUp.job => C:\Program Files (x86)\OneSystemCare\OneSystemCare.exe HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option => "OptionValue"="2" 2015-07-17 10:58 - 2015-07-17 10:58 - 00003448 _____ C:\Windows\System32\Tasks\Frodaomiwin 2015-07-17 10:58 - 2015-07-17 10:58 - 00000000 ____D C:\Users\Ashley\AppData\Roaming\One System Care 2015-07-17 10:58 - 2015-07-17 10:58 - 00000000 ____D C:\ProgramData\Frodaomiwin 2015-07-17 10:56 - 2015-07-17 10:56 - 00000000 ____D C:\Users\Ashley\AppData\Local\CouponAlert 2015-07-17 10:56 - 2015-07-17 10:56 - 00000000 ____D C:\CouponAlert 2015-07-17 10:54 - 2015-07-17 11:56 - 00000000 ____D C:\Users\Ashley\AppData\Local\WebBar 2015-07-17 10:54 - 2015-07-17 10:54 - 00003784 _____ C:\Windows\System32\Tasks\WebBarUpdateTask 2015-07-17 10:54 - 2015-07-17 10:54 - 00003260 _____ C:\Windows\System32\Tasks\WebBarLaunchTask 2015-07-17 10:54 - 2015-07-17 10:54 - 00000000 ____D C:\Users\Ashley\AppData\Local\Boost 2015-07-17 10:54 - 2015-07-17 10:54 - 00000000 ____D C:\Program Files (x86)\Boost 2015-07-17 10:53 - 2015-07-17 12:35 - 00000278 _____ C:\Windows\Tasks\One System CareStartUp.job 2015-07-17 10:53 - 2015-07-17 11:58 - 00000278 _____ C:\Windows\Tasks\One System CarePeriod.job 2015-07-17 10:53 - 2015-07-17 10:54 - 00000000 ____D C:\Program Files\WebBar 2015-07-17 10:53 - 2015-07-17 10:53 - 00003316 _____ C:\Windows\System32\Tasks\One System Care Run Delay 2015-07-17 10:53 - 2015-07-17 10:53 - 00003250 _____ C:\Windows\System32\Tasks\One System Care Monitor 2015-07-17 10:53 - 2015-07-17 10:53 - 00002856 _____ C:\Windows\System32\Tasks\One System CarePeriod 2015-07-17 10:53 - 2015-07-17 10:53 - 00002554 _____ C:\Windows\System32\Tasks\One System CareStartUp 2015-07-17 10:53 - 2015-07-17 10:53 - 00001073 _____ C:\Users\Public\Desktop\Launch One System Care.lnk 2015-07-17 10:53 - 2015-07-17 10:53 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneSystemCare 2015-07-17 10:53 - 2015-07-17 10:53 - 00000000 ____D C:\ProgramData\InstallSightSDK 2015-07-17 10:53 - 2015-07-17 10:53 - 00000000 ____D C:\ProgramData\CouponAlert 2015-07-17 10:53 - 2015-07-17 10:53 - 00000000 ____D C:\ProgramData\bgsLxaP 2015-07-17 10:53 - 2015-07-17 10:53 - 00000000 ____D C:\Program Files (x86)\OneSystemCare cmd: ipconfig /flushdns cmd: netsh advfirewall reset cmd: netsh advfirewall set allprofiles state on Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f CMD: bitsadmin /reset /allusers RemoveProxy: EmptyTemp: Reboot: end
*****************
Error: Restore point can only be created in normal mode. Processes closed successfully. HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\Software\Microsoft\Windows\CurrentVersion\Run\\Boost => value not found. "C:\Program Files (x86)\Boost" => File/Folder not found. "HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F" => key removed successfully "HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3e74436b-fadf-11e3-b037-d4bed9b90511}" => key removed successfully HKCR\CLSID\{3e74436b-fadf-11e3-b037-d4bed9b90511} => key not found. "HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8c1e1486-266e-11e5-b01a-d4bed9b90511}" => key removed successfully HKCR\CLSID\{8c1e1486-266e-11e5-b01a-d4bed9b90511} => key not found. C:\Users\Ashley\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Facebook Messenger.lnk => moved successfully. C:\Users\Ashley\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe not found. "C:\Users\Ashley\AppData\Local\Facebook\Messenger\2.1.4814.0" => File/Folder not found. "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully "HKCR\CLSID\{DBC80044-A445-435b-BC74-9C25C1C588A9}" => key removed successfully "C:\Program Files\Java\jre6\bin\jp2ssv.dll" => File/Folder not found. HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2299856A-6506-42E3-A34F-CD35A47C1B19} => key not found. HKCR\Wow6432Node\CLSID\{2299856A-6506-42E3-A34F-CD35A47C1B19} => key not found. "C:\Program Files (x86)\Boost" => File/Folder not found. "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully "HKCR\Wow6432Node\CLSID\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}" => key removed successfully HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value removed successfully HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => key not found. Firefox newtab removed successfully "HKLM\Software\MozillaPlugins\@java.com/DTPlugin" => key removed successfully "HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\qpmrnqu2.default\Extensions\boost@boost.net.xpi not found. "C:\Users\Ashley\AppData\Roaming\Mozilla\Firefox\Profiles\qpmrnqu2.default\Extensions\boost@boost.net.xpi" => File/Folder not found. C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj => moved successfully. "C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj" => File/Folder not found. CouponPrinterService => Service not found. C:\Program Files (x86)\Coupons => moved successfully. DYNbKI => Service not found. wbsvc => Service not found. "C:\Program Files\WebBar" => File/Folder not found. LMIRfsClientNP => Service removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{52304EC5-A69F-409E-B688-E69B622E5B0D}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{52304EC5-A69F-409E-B688-E69B622E5B0D}" => key removed successfully C:\Windows\System32\Tasks\WebBarUpdateTask => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WebBarUpdateTask" => key removed successfully "C:\Program Files\WebBar" => File/Folder not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{5AF26518-379C-4148-A739-4681842BCDBD}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5AF26518-379C-4148-A739-4681842BCDBD}" => key removed successfully C:\Windows\System32\Tasks\WebBarLaunchTask => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WebBarLaunchTask" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A26153D9-05E3-46A5-857E-125AC0037EC2}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A26153D9-05E3-46A5-857E-125AC0037EC2}" => key removed successfully C:\Windows\System32\Tasks\One System CarePeriod => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CarePeriod" => key removed successfully "C:\Program Files (x86)\OneSystemCare" => File/Folder not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{AA75C21E-DECB-4125-A5E5-4F42B76A64F2}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AA75C21E-DECB-4125-A5E5-4F42B76A64F2}" => key removed successfully C:\Windows\System32\Tasks\Frodaomiwin => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Frodaomiwin" => key removed successfully C:\ProgramData\Frodaomiwin => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C958C628-C5C5-4F03-8D6D-C24CA8E5F4F8}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C958C628-C5C5-4F03-8D6D-C24CA8E5F4F8}" => key removed successfully C:\Windows\System32\Tasks\One System Care Monitor => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Monitor" => key removed successfully "C:\Program Files (x86)\OneSystemCare" => File/Folder not found. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EFC480FC-C3C4-420E-996B-4055FA0E89E8}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EFC480FC-C3C4-420E-996B-4055FA0E89E8}" => key removed successfully C:\Windows\System32\Tasks\One System Care Run Delay => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System Care Run Delay" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{F5B4DE63-333F-463B-BFF8-57417DF1DADE}" => key removed successfully "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F5B4DE63-333F-463B-BFF8-57417DF1DADE}" => key removed successfully C:\Windows\System32\Tasks\One System CareStartUp => moved successfully. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\One System CareStartUp" => key removed successfully C:\Windows\Tasks\One System CarePeriod.job => moved successfully. C:\Windows\Tasks\One System CareStartUp.job => moved successfully. "C:\Windows\System32\Tasks\Frodaomiwin" => File/Folder not found. C:\Users\Ashley\AppData\Roaming\One System Care => moved successfully. "C:\ProgramData\Frodaomiwin" => File/Folder not found. "C:\Users\Ashley\AppData\Local\CouponAlert" => File/Folder not found. C:\CouponAlert => moved successfully. "C:\Users\Ashley\AppData\Local\WebBar" => File/Folder not found. "C:\Windows\System32\Tasks\WebBarUpdateTask" => File/Folder not found. "C:\Windows\System32\Tasks\WebBarLaunchTask" => File/Folder not found. "C:\Users\Ashley\AppData\Local\Boost" => File/Folder not found. "C:\Program Files (x86)\Boost" => File/Folder not found. "C:\Windows\Tasks\One System CareStartUp.job" => File/Folder not found. "C:\Windows\Tasks\One System CarePeriod.job" => File/Folder not found. "C:\Program Files\WebBar" => File/Folder not found. "C:\Windows\System32\Tasks\One System Care Run Delay" => File/Folder not found. "C:\Windows\System32\Tasks\One System Care Monitor" => File/Folder not found. "C:\Windows\System32\Tasks\One System CarePeriod" => File/Folder not found. "C:\Windows\System32\Tasks\One System CareStartUp" => File/Folder not found. "C:\Users\Public\Desktop\Launch One System Care.lnk" => File/Folder not found. "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OneSystemCare" => File/Folder not found. "C:\ProgramData\InstallSightSDK" => File/Folder not found. "C:\ProgramData\CouponAlert" => File/Folder not found. "C:\ProgramData\bgsLxaP" => File/Folder not found. "C:\Program Files (x86)\OneSystemCare" => File/Folder not found.
========= ipconfig /flushdns =========
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
========= End of CMD: =========
========= netsh advfirewall reset =========
Ok.
========= End of CMD: =========
========= netsh advfirewall set allprofiles state on =========
Ok.
========= End of CMD: =========
========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========
The operation completed successfully.
========= End of Reg: =========
========= bitsadmin /reset /allusers =========
BITSADMIN version 3.0 [ 7.5.7601 ] BITS administration utility. (C) Copyright 2000-2006 Microsoft Corp.
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
Unable to connect to BITS - 0x8007042c The dependency service or group failed to start.
========= End of CMD: =========
========= RemoveProxy: =========
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully HKU\S-1-5-21-1936193561-4228598581-3577291573-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
========= End of RemoveProxy: =========
EmptyTemp: => 479.8 MB temporary data Removed.
The system needed a reboot..
==== End of Fixlog 10:18:04 ====
|
|
|
Post by lindseyrachelle620 on Jul 22, 2015 12:15:28 GMT -8
OK- now I think I should def run things while not in safe mode w/ networking. as of right now, I am able to access the internet, but this just popped up :
... what now?
Also, I haven't touched the Norton screen, because I wanted to wait for your instruction to move forward.
Thank you so much for your time.
|
|
|
Post by lindseyrachelle620 on Jul 22, 2015 12:22:50 GMT -8
I just realized that it only makes sense that now that I can operate my system out of safe mode, that I need to run the FRST again, so that you can see what is going on while in normal operation, Here are the logs: FRST.txtAddition.txtwhew, ok - thank you! (I also looked at the uninstall program list. and none of the programs that you previously listed were on it. but now there is a google toolbar showing up, as of today? and a dell support assist agent?)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jul 22, 2015 21:14:06 GMT -8
As long as you are able to run in Normal Boot mode and I do not have you disable Norton to run other scanners, then when Norton finds any malware, go ahead and let it fix the issues (and of course, inform me other the new found issues). I will go over your logs shortly but in the meantime please run the following and post the results here. Junkware Removal ToolPlease download JRT from here to your desktop. Note: Temporarily disable/shut down your protection software now to avoid potential conflicts, how to do so can be read here.Double click the JRT.exe file to run the application. The application will open an Command Prompt window and run from there (this is normal for this program, so not to be alarmed). When it is asked, press any key to allow the program to continue / run. This will create a log on the desktop; please copy and paste the JRT.txt log text in your next post. Note: After the log file is created, please enable your protection software / reboot your system and verify your protection software is enabled.
|
|
|
Post by lindseyrachelle620 on Jul 24, 2015 6:44:13 GMT -8
Ok, I let Norton 360 - fix what it found. Disabled it and ran the JRT. Here's the LOG:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Malwarebytes Version: 7.5.1 (07.16.2015:1) OS: Windows 7 Professional x64 Ran by Ashley on Fri 07/24/2015 at 9:32:58.47 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Tasks
Successfully deleted: [Task] C:\Windows\system32\tasks\PCDEventLauncherTask Successfully deleted: [Task] C:\Windows\system32\tasks
\PCDoctorBackgroundMonitorTask
~~~ Registry Values
~~~ Registry Keys
~~~ Files
Successfully deleted: [File] C:\Windows\SysWOW64\sho1698.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho1725.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho1B4F.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho1EF3.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho2114.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho2F5D.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho2FF5.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho30F1.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho353F.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4368.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4532.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4597.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho47AA.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4A9.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4ADC.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4B9B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4D2B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4EE4.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho4F64.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho5506.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho5E41.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho606B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho62E9.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho6B5F.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho6CB7.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho6EC5.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho7105.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho774.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho778E.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho7A9A.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho8429.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho852C.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho8A24.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho8B2E.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho8B42.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho9264.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho97FD.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho9CC5.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho9F63.tmp Successfully deleted: [File] C:\Windows\SysWOW64\sho9F8.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoA035.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoA110.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoA165.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoA341.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoA96.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoB878.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoB92B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoBADE.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoBFBB.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoC284.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoC359.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoC5BF.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoC912.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoCF1A.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoDCC.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoE39A.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoECF4.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoED1B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoFC5B.tmp Successfully deleted: [File] C:\Windows\SysWOW64\shoFFB1.tmp
~~~ Folders
Failed to delete: [Folder] C:\Program Files (x86)\lavasoft\web companion Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{06E24B89
-FF8F-4BF8-ACFB-8400BBEB2D33} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{1BA749E9
-7FA0-4AF6-B75B-2D86F136A47F} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{1E64A26C-5E57-41E2-A56B-94F528319460} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{2D29F5AE-0EDE-4F4B-864A-D1476C585829} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{4C50371F-1BEF-4991-A2EB-1B26F2254806} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{5116350F-3666-46D9-AC4A-CA76CC885830} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{599AFDD2
-3AF1-4CD5-9F70-2BB38B4BC676} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{5E09DE40
-775B-42B5-A2C6-FA03BB87C3D6} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{60ED54D0
-6D87-4397-8E89-36B1328979AA} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{62AAF9BF-203D-4AEB-A95D-FC9B02C5909B} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{893F8F26
-FC94-4938-B2CA-FA38C350331F} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{A03A992D-8A6A-49A0-87DD-21E6CD7CF669} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{B721EBF3
-37F1-4B5C-BD86-57A80F51506E} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{BE2059D0
-9FC3-4E02-A3DB-17A7FBABC745} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{C2F1AA92
-0E63-467D-A44A-A518AC9DB253} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{C931B09D-B2E3-412D-8295-2048F871ACFD} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{D239D83D-FC3A-4418-89B4-5D80BCDF32D8} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{ECF64BBA-6EB2-4E4E-BA84-7B7F0FD36679} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local\{F291E896
-B18B-4487-A00B-3DCB9393666C} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{F49CBBBE-C53A-4BE4-9CF4-71A24D994739} Successfully deleted: [Empty Folder] C:\Users\Ashley\Appdata\Local
\{FF91322D-8D26-47CD-A240-9198A19CEA12} Successfully deleted: [Folder] C:\Program Files (x86)\newsoft Successfully deleted: [Folder] C:\ProgramData\google Successfully deleted: [Folder] C:\ProgramData\lavasoft\web companion Successfully deleted: [Folder] C:\Users\Ashley\AppData\Roaming\lavasoft\web
companion
~~~ FireFox
Emptied folder: C:\Users\Ashley\AppData\Roaming\mozilla\firefox\profiles
\qpmrnqu2.default\minidumps [1 files]
~~~ Chrome
Dumping contents of C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data
\Default\Default C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Default
\aagfgggfdjdjgbggdeggdgdidedjggdb C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Default
\aagfgggfdjdjgbggdeggdgdidedjggdb\background.html C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Default
\aagfgggfdjdjgbggdeggdgdidedjggdb\ContentScript.js C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Default
\aagfgggfdjdjgbggdeggdgdidedjggdb\manifest.json
Successfully deleted: [Folder] C:\Users\Ashley\Appdata\Local\Google\Chrome
\User Data\Default\Default [Default Extension 1.0]
[C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Preferences] -
default search provider reset
[C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Preferences] -
Extensions Deleted:
[C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Secure
Preferences] - default search provider reset
[C:\Users\Ashley\Appdata\Local\Google\Chrome\User Data\Default\Secure
Preferences] - Extensions Deleted:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Fri 07/24/2015 at 9:39:57.05 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Jul 24, 2015 7:53:23 GMT -8
AdwCleaner by XplodeDownload AdwCleaner from here or from here. Save the file to the desktop. NOTE: If you are using IE 8 or above you may get a warning that stops the program from downloading. Just click on the warning and allow the download to complete. Close all open windows and browsers.[/b][/font] Right click the AdwCleaner icon on the desktop, click Run as administrator and accept the UAC prompt to run AdwCleaner. You will see the following console: Click the Scan button and wait for the scan to finish. After the Scan has finished the window may or may not show what it found and above, in the progress bar, you will see: Waiting for action. Please uncheck elements you don't want to remove.Click the Clean button. Everything checked will be deleted. When the program has finished cleaning a report appears. Once done it will ask to reboot, allow this On reboot a log will be produced please copy / paste that in your next reply. This report is also saved to C:\AdwCleaner\AdwCleaner[S0].txt[/ul] Optional: NOTE: If you see AVG Secure Search being targeted for deletion, Here's Why and Here. You can always Reinstall it.
|
|
|
Post by lindseyrachelle620 on Jul 24, 2015 13:28:09 GMT -8
done. Thank you!
# AdwCleaner v4.208 - Logfile created 24/07/2015 at 16:19:56 # Updated 09/07/2015 by Xplode # Database : 2015-07-15.1 [Server] # Operating system : Windows 7 Professional Service Pack 1 (x64) # Username : Ashley - ASHLEY-PC # Running from : C:\Users\Ashley\Desktop\AdwCleaner.exe # Option : Cleaning
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{88C20E16-1EB7-40CE-
820C-6CFCB41B1D2F} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{41634761-D0BA-4C1A-9AC2
-04AEE9511370} Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes
\{49606DC7-976D-4030-A74E-9FB5C842FA68} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
\{49606DC7-976D-4030-A74E-9FB5C842FA68} Key Deleted : HKCU\Software\Boost Key Deleted : HKLM\SOFTWARE\Boost Key Deleted : [x64] HKLM\SOFTWARE\WebBar Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry
\DOMStorage\ask.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry
\DOMStorage\petango.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry
\DOMStorage\www.ask.com Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry
\DOMStorage\www.petango.com
***** [ Web browsers ] *****
-\\ Internet Explorer v11.0.9600.17909
-\\ Mozilla Firefox v39.0 (x86 en-US)
-\\ Google Chrome v
[C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Web Data] -
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchterms}
&l=dis&o=ushpl [C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Web Data] -
Deleted [Search Provider] : hxxp://search.aol.com/aol/search?query=
{searchTerms} [C:\Users\Ashley\AppData\Local\Google\Chrome\User Data\Default\Web Data] -
Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R0].txt - [2269 bytes] - [24/07/2015 16:18:11] AdwCleaner[S0].txt - [2167 bytes] - [24/07/2015 16:19:56]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2226 bytes] ##########
-- also, this is my work computer, so I will not be back til Monday. (just in case you need to help someone more urgent in the meantime)
|
|