Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 10, 2014 16:27:06 GMT -8
You still there??
Quads
|
|
|
Post by marcymuss on Jul 10, 2014 17:32:20 GMT -8
Completed per instructions. Thank you for your assistance and sorry for the delay. It's been a bit crazy around here.
Attachment Deleted
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 10, 2014 17:47:13 GMT -8
First time I have had to reverse a mistake from FRST's quarantine. The folder is back in the correct locations and the permissions are correct.
Now to see that the app data for all the apps you have are back inside (it should have restored all the items from inside the folder as well as the folder)
You will probably have to split the fixlog again.
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop
When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
Quads
|
|
|
Post by marcymuss on Jul 10, 2014 21:26:07 GMT -8
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 10, 2014 21:53:31 GMT -8
All is back in the folder, you may find some setting have to be set again for the odd app here and there like after you have just installed it I am unsure why FRST did not take the .XBAD off the end of settings.dat.LOG2\settings.dat.LOG2.XBAD, may be a reason or a bug in FRST so that it did not remove the exstesion it gave. Sorry for my mistake that had to be reversed Read carefully
Download Adwcleaner www.bleepingcomputer.com/download/adwcleaner/ on to your desktop The Blue Download Now @bleeping Computer button and run a scan ( Scan Button). It will create a log after. Or there is a Report button, ONE SCAN ONLY
Attach or paste the log back here Quads
|
|
|
Post by marcymuss on Jul 10, 2014 22:25:02 GMT -8
Completed steps... report below. Thanks.
# AdwCleaner v3.215 - Report created 10/07/2014 at 23:21:23 # Updated 09/07/2014 by Xplode # Operating System : Windows 8.1 (64 bits) # Username : Marcy - MARCYS # Running from : C:\Users\Marcy\AppData\Local\Microsoft\Windows\INetCache\IE\ZKGH5AG9\AdwCleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\Users\Marcy\AppData\LocalLow\SkwConfig.bin Folder Found : C:\Program Files (x86)\Movies Toolbar Folder Found : C:\ProgramData\apn Folder Found : C:\ProgramData\BitGuard Folder Found : C:\ProgramData\Browser Manager Folder Found : C:\ProgramData\BrowserProtect Folder Found : C:\Users\Marcy\AppData\Local\Conduit Folder Found : C:\Users\Marcy\AppData\Local\Google\Chrome\User Data\Default\Extensions\eiimolhnbbbdagljikeckdkldgemmmlj Folder Found : C:\Users\Marcy\AppData\LocalLow\Conduit Folder Found : C:\Users\Marcy\AppData\LocalLow\DataMngr Folder Found : C:\Users\Marcy\AppData\LocalLow\PriceGong Folder Found : C:\Users\Marcy\AppData\LocalLow\searchresultstb Folder Found : C:\Users\Marcy\AppData\Roaming\Mozilla\Firefox\Profiles\0by6rjii.default\ilividmoviestoolbarha Folder Found : C:\Users\Marcy\AppData\Roaming\pccustubinstaller Folder Found : C:\Users\Marcy\Documents\Optimizer Pro Folder Found : C:\Users\Marcy\Favorites\StumbleUpon
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Found : HKCU\Software\AppDataLow\Software\Conduit Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes Key Found : HKCU\Software\AppDataLow\Software\PriceGong Key Found : HKCU\Software\AppDataLow\Software\SmartBar Key Found : HKCU\Software\AppDataLow\Software\Supra Savings Key Found : HKCU\Software\Classes\iLivid.torrent Key Found : HKCU\Software\Conduit Key Found : HKCU\Software\ilivid Key Found : HKCU\Software\IM Key Found : HKCU\Software\ImInstaller Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7F6AFBF1-E065-4627-A2FD-810366367D01} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DA5FC7D7-7D23-1D2A-1185-DC1510C81752} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7F6AFBF1-E065-4627-A2FD-810366367D01} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA5FC7D7-7D23-1D2A-1185-DC1510C81752} Key Found : HKCU\Software\SweetIM Key Found : [x64] HKCU\Software\Conduit Key Found : [x64] HKCU\Software\ilivid Key Found : [x64] HKCU\Software\IM Key Found : [x64] HKCU\Software\ImInstaller Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} Key Found : [x64] HKCU\Software\SweetIM Key Found : HKLM\Software\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Found : HKLM\Software\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} Key Found : HKLM\Software\{6791A2F3-FC80-475C-A002-C014AF797E9C} Key Found : HKLM\SOFTWARE\Classes\AppID\{38495740-0035-4471-851E-F5BBB86AB085} Key Found : HKLM\SOFTWARE\Classes\AppID\{72D89EBF-0C5D-4190-91FD-398E45F1D007} Key Found : HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17} Key Found : HKLM\SOFTWARE\Classes\AppID\DefaultTabBHO.DLL Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1} Key Found : HKLM\SOFTWARE\Classes\CLSID\{7F6AFBF1-E065-4627-A2FD-810366367D01} Key Found : HKLM\SOFTWARE\Classes\CLSID\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DA5FC7D7-7D23-1D2A-1185-DC1510C81752} Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowser.1 Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX Key Found : HKLM\SOFTWARE\Classes\DefaultTabBHO.DefaultTabBrowserActiveX.1 Key Found : HKLM\SOFTWARE\Classes\iLivid.torrent Key Found : HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60} Key Found : HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Found : HKLM\SOFTWARE\Classes\surifkeeipIt.surifkeeipIt Key Found : HKLM\SOFTWARE\Classes\surifkeeipIt.surifkeeipIt.8.1 Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3310511 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} Key Found : HKLM\SOFTWARE\Classes\TypeLib\{FEB62B15-CC00-4736-AAEC-BA046C9DFF73} Key Found : HKLM\Software\Conduit Key Found : HKLM\Software\DataMngr Key Found : HKLM\Software\firstsearch Key Found : HKLM\Software\Lightspark Team Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{3D86A75B-CB6B-4764-885D-CA6336F04BA2} Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7F6AFBF1-E065-4627-A2FD-810366367D01} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A} Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{DA5FC7D7-7D23-1D2A-1185-DC1510C81752} Key Found : HKLM\Software\suprasavings Key Found : HKLM\Software\SweetIM Key Found : HKLM\Software\systweak Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F} Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{DA5FC7D7-7D23-1D2A-1185-DC1510C81752} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{1F8EDE97-36D5-422A-B8F0-9406E2D87C60} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC} Key Found : [x64] HKLM\SOFTWARE\LevelQualityWatcher Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} Key Found : [x64] HKLM\SOFTWARE\Supra Savings Key Found : [x64] HKLM\SOFTWARE\suprasavings Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{2318C2B1-4965-11D4-9B18-009027A5CD4F}] Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}] Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17126
Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Secondary_Page_URL] - hxxp://mystart.toshiba.com Setting Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Secondary Start Pages] - hxxp://mystart.toshiba.com
-\\ Mozilla Firefox v
[ File : C:\Users\Marcy\AppData\Roaming\Mozilla\Firefox\Profiles\0by6rjii.default\prefs.js ]
Line Found : user_pref("CT3310511.FF19Solved", "true"); Line Found : user_pref("CT3310511.UserID", "UN33582684312484170"); Line Found : user_pref("CT3310511.browser.search.defaultthis.engineName", "true"); Line Found : user_pref("CT3310511.fullUserID", "UN33582684312484170.IN.20131022101701"); Line Found : user_pref("CT3310511.installDate", "22/10/2013 10:17:12"); Line Found : user_pref("CT3310511.installSessionId", "{FC52F77A-2972-47F5-9430-91B74EC6BB1B}"); Line Found : user_pref("CT3310511.installSp", "TRUE"); Line Found : user_pref("CT3310511.installerVersion", "1.8.0.14"); Line Found : user_pref("CT3310511.keyword", "true"); Line Found : user_pref("CT3310511.originalHomepage", "hxxp://start.roboform.com|hxxp://www.google.com/|hxxp://cozicentral.cozi.com/"); Line Found : user_pref("CT3310511.originalSearchAddressUrl", ""); Line Found : user_pref("CT3310511.originalSearchEngine", ""); Line Found : user_pref("CT3310511.originalSearchEngineName", ""); Line Found : user_pref("CT3310511.searchRevert", "false"); Line Found : user_pref("CT3310511.searchUserMode", "2"); Line Found : user_pref("CT3310511.smartbar.homepage", "true"); Line Found : user_pref("CT3310511.toolbarInstallDate", "22-10-2013 10:17:02"); Line Found : user_pref("CT3310511.versionFromInstaller", "10.21.1.7"); Line Found : user_pref("CT3310511.xpeMode", "0"); Line Found : user_pref("Smartbar.ConduitHomepagesList", "hxxp://search.conduit.com/?ctid=CT3310511&octid=CT3310511&SearchSource=61&CUI=UN33582684312484170&UM=2&UP=SP5C5AB197-C6E2-4106-8636-E6447ECE2037"); Line Found : user_pref("Smartbar.SearchFromAddressBarSavedUrl", ""); Line Found : user_pref("browser.search.defaultthis.engineName", "SweetPacks Customized Web Search"); Line Found : user_pref("browser.search.defaulturl", "hxxp://web.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=aimright-ff&tb_uuid=2F791B3B20654363A27DD9C7C8FDA3DC&tb_oid=18-04-2014&tb_mrud=18-04[...] Line Found : user_pref("extensions.UAgYs.scode", "(function(){try{var url=window.self.location.href;if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\"sumorobo.net\")>-1||url.indexO[...] Line Found : user_pref("extensions.fW4aOKHj.scode", "(function(){try{var url=window.self.location.href;if(url.indexOf(\"acebook\")>-1||url.indexOf(\"warnalert11.com\")>-1||url.indexOf(\"sumorobo.net\")>-1||url.ind[...] Line Found : user_pref("smartbar.addressBarOwnerCTID", "CT3310511"); Line Found : user_pref("smartbar.conduitHomepageList", "hxxp://search.conduit.com/?ctid=CT3310511&CUI=UN33582684312484170&UM=2&SearchSource=13,hxxp://search.conduit.com/?ctid=CT3310511&octid=CT3310511&SearchSource[...] Line Found : user_pref("smartbar.conduitSearchAddressUrlList", "hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3310511&SearchSource=2&CUI=UN33582684312484170&UM=2&q="); Line Found : user_pref("smartbar.defaultSearchOwnerCTID", "CT3310511"); Line Found : user_pref("smartbar.homePageOwnerCTID", "CT3310511"); Line Found : user_pref("smartbar.machineId", "40HYFXECVKZK6F+FLO/NX6WMQQ28QXN50/TN1BR7LMZNW8L/KCJO1WSUDR58QK8XJQ6UEZHXCHH+I7ZHEW7U+A"); Line Found : user_pref("smartbar.originalHomepage", "hxxp://search.conduit.com/?ctid=CT3310511&CUI=UN33582684312484170&UM=2&SearchSource=13");
-\\ Google Chrome v35.0.1916.153
[ File : C:\Users\Marcy\AppData\Local\Google\Chrome\User Data\Default\preferences ]
Found [Homepage] : hxxp://www.search.ask.com/?o=APN10645A&gct=hp&d=406-420&v=n10666-197&t=4 Found [Extension] : dhdepfaagokllfmhfbcfmocaeigmoebo Found [Extension] : eiimolhnbbbdagljikeckdkldgemmmlj Found [Extension] : fbmimoidopbghbcmdmpkjaffffmcbmbg Found [Extension] : hphibigbodkkohoglgfkddblldpfohjl Found [Extension] : jpmbfleldcgkldadpdinhjjopdfpjfjp Found [Extension] : kdcnnmifdmlmjffdgeieikcokcogpbej Found [Extension] : kdidombaedgpfiiedeimiebkmbilgmlc Found [Extension] : kincjchfokkeneeofpeefomkikfkiedl Found [Extension] : kkkeikdkpjenmoiicggnnodbkebafgpc Found [Extension] : pgmfkblbflahhponhjmkcnpjinenhlnc
*************************
AdwCleaner[R0].txt - [11694 octets] - [10/07/2014 23:21:23]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [11755 octets] ##########
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 10, 2014 22:32:55 GMT -8
hmmm I wonder why users cannot follow the "On to the Desktop" instruction with tools.
Quads
|
|
|
Post by marcymuss on Jul 12, 2014 7:15:28 GMT -8
...asking the wrong person (!) Do you think it is something I did wrong? What's the next step. Everything is operating find, but I'm afraid I have no idea what I'm looking at in those logs... Thank you.
|
|
Quads
Malware Removalists
In New Zealand
Posts: 9,387
|
Post by Quads on Jul 12, 2014 10:15:24 GMT -8
What did the instructions say " Read carefully
Download Adwcleaner www.bleepingcomputer.com/download/adwcleaner/ on to your desktop The Blue Download Now @bleeping Computer button and run a scan ( Scan Button). It will create a log after. Or there is a Report button, ONE SCAN ONLY
Attach or paste the log back here Quads" Yet you have Adwcleaner running from "Running from : C:\Users\Marcy\AppData\Local\Microsoft\Windows\INetCache\IE\ZKGH5AG9\AdwCleaner.exe" How is that the Desktop?? Quads
|
|
|
Post by marcymuss on Jul 13, 2014 8:02:01 GMT -8
Duh. I can't believe I did that. Let me try all that again... sorry about that.
|
|