|
Post by danshp1 on Nov 16, 2014 14:16:33 GMT -8
Here's the adwcleaner log:
# AdwCleaner v4.101 - Report created 16/11/2014 at 16:12:33 # Updated 09/11/2014 by Xplode # Database : 2014-11-16.1 [Live] # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : Dan - DAN-HP # Running from : C:\Users\Dan\Desktop\AdwCleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Found : C:\Users\Dan\AppData\Local\CrashRpt Folder Found : C:\Users\Dan\AppData\Local\Temp\apn Folder Found : C:\Users\Dan\AppData\Local\Temp\Mega Browse Folder Found : C:\Users\Dan\AppData\LocalLow\weDownload Manager Pro Folder Found : C:\Users\Dan\AppData\Roaming\1H1Q
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Found : HKCU\Software\AppDataLow\Software\adawarebp Key Found : HKCU\Software\AppDataLow\Software\Crossrider Key Found : HKCU\Software\Bitberry Key Found : HKCU\Software\InstallCore Key Found : HKCU\Software\WEDLMNGR Key Found : [x64] HKCU\Software\Bitberry Key Found : [x64] HKCU\Software\InstallCore Key Found : [x64] HKCU\Software\WEDLMNGR Key Found : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} Key Found : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Key Found : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Found : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Key Found : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Found : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Found : HKLM\SOFTWARE\InstallIQ Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner Key Found : HKLM\SOFTWARE\PIP Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Google Chrome v38.0.2125.111
[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
*************************
AdwCleaner[R0].txt - [3238 octets] - [16/11/2014 16:12:33]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [3298 octets] ##########
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 16, 2014 20:00:37 GMT -8
FIRSTPlease run AdwCleaner again (if you don't have it running from the last scan) and a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done). b) Make sure in your case all the items under each TAB are ticked / checked then. c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted. d) It should create a new log afterwards (with S0 in the name). e) Please attach or copy the log into your reply here. NEXTMalwarebytes' Anti-MalwarePlease download the latest version of Malwarebytes' Anti-Malware from HereDouble Click on the mbam-setup.exe file to install the application. Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once the program has loaded and updated, select " Scan Now >>" to start the scan. The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. Please click on the Export Log button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop). After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that. Please attach the report file to a post here; I will review the file and script what needs to be removed.
|
|
|
Post by danshp1 on Nov 17, 2014 6:18:49 GMT -8
Here's the adwcleanerSO:
AdwCleaner v4.101 - Report created 17/11/2014 at 08:08:57 # Updated 09/11/2014 by Xplode # Database : 2014-11-16.1 [Live] # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : Dan - DAN-HP # Running from : C:\Users\Dan\Desktop\AdwCleaner.exe # Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\Users\Dan\AppData\Local\CrashRpt Folder Deleted : C:\Users\Dan\AppData\Local\Temp\apn Folder Deleted : C:\Users\Dan\AppData\Local\Temp\Mega Browse Folder Deleted : C:\Users\Dan\AppData\LocalLow\weDownload Manager Pro Folder Deleted : C:\Users\Dan\AppData\Roaming\1H1Q
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468} Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217} Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Deleted : HKCU\Software\Bitberry Key Deleted : HKCU\Software\InstallCore Key Deleted : HKCU\Software\WEDLMNGR Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F} Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0} Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C} Key Deleted : HKLM\SOFTWARE\InstallIQ Key Deleted : HKLM\SOFTWARE\PIP Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Google Chrome v38.0.2125.111
[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
*************************
AdwCleaner[R0].txt - [3410 octets] - [16/11/2014 16:12:33] AdwCleaner[S0].txt - [3248 octets] - [17/11/2014 08:08:57]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3308 octets] ##########
|
|
|
Post by danshp1 on Nov 17, 2014 7:15:46 GMT -8
Here's the MBAM: Malwarebytes Anti-Malware www.malwarebytes.orgScan Date: 11/17/2014 Scan Time: 8:24:29 AM Logfile: mbam report.txt Administrator: Yes Version: 2.00.3.1025 Malware Database: v2014.11.17.03 Rootkit Database: v2014.11.12.01 License: Free Malware Protection: Disabled Malicious Website Protection: Disabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Dan Scan Type: Threat Scan Result: Completed Objects Scanned: 326214 Time Elapsed: 33 min, 0 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 2 PUP.Optional.Quiknowledge.A, HKLM\SOFTWARE\WOW6432NODE\QUIKNOWLEDGE, , [ae29a795c3b9f64009675712dc27ca36], PUP.Optional.weDownload.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\weDownload Manager Pro, , [24b376c6631948ee62b399bda063df21], Registry Values: 1 PUP.Optional.Quiknowledge.A, HKLM\SOFTWARE\WOW6432NODE\QUIKNOWLEDGE|ie-ver, 11.0.9600.16521, , [ae29a795c3b9f64009675712dc27ca36] Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 17, 2014 9:28:43 GMT -8
Thank you for the logs.
This next step may take a while (just to warn you) ..... ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier. You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.
Hold down Control key and click on the following link to open ESET OnlineScan in a new window. Link =>> ESET OnlineScan << Click the Run ESET Online Scanner located on the left side of the page (not the free trial). For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step) Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop. Double click on the icon on your desktop. Check (accept) the Terms of Use. Click the START button. Accept any security warnings from your browser. Now in the Computer scan settings window that appears:- Make sure that the option Enable detection of potentially unwanted applications is selected. Now click on Advanced Settings and configure the options as follows: Remove found threats is Not checkedScan archives is checkedScan for potentially unsafe applications is checkedEnable Anti-Stealth Technology is checkedNow click on: StartESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time. When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats. At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry). Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish. Attach the saved log file in your next reply please. Thanks.
|
|
|
Post by danshp1 on Nov 18, 2014 14:58:35 GMT -8
C:\Program Files (x86)\Ad-Aware Antivirus\AdAwareSafeBrowsing.exe a variant of Win32/Toolbar.Visicom.A potentially unwanted application C:\Users\Dan\AppData\Local\Temp\9104\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\ld2lxni6jd[1].htm JS/Exploit.Agent.NHV trojan C:\Users\Dan\AppData\Local\Temp\964c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\installer_vlc_media_player_Spanish[1].exe a variant of Win32/DownloadAdmin.H potentially unwanted application C:\Users\Dan\AppData\Local\Temp\964c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\installer_vlc_media_player_Spanish[2].exe a variant of Win32/DownloadAdmin.H potentially unwanted application C:\Users\Dan\AppData\Local\Temp\964c\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\installer_vlc_media_player_Spanish[3].exe a variant of Win32/DownloadAdmin.H potentially unwanted application C:\Users\Dan\Documents\APNSetup.exe Win32/Bundled.Toolbar.Ask.E potentially unsafe application
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 18, 2014 17:59:12 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait. The script will be processed and your system restarted to complete the removal / breakage of the malware.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
|
|
|
Post by danshp1 on Nov 19, 2014 5:01:13 GMT -8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-11-2014 Ran by Dan at 2014-11-18 20:16:24 Run:2 Running from C:\Users\Dan\Desktop Loaded Profile: Dan (Available profiles: Dan) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start Reg: reg delete HKLM\SOFTWARE\WOW6432NODE\QUIKNOWLEDGE /f Reg: reg delete HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\weDownload Manager Pro /f C:\Users\Dan\AppData\Local\Temp\9104\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\ld2lxni6jd[1].htm C:\Users\Dan\Documents\APNSetup.exe Win32/Bundled.Toolbar.Ask.E EmptyTemp: end
*****************
========= reg delete HKLM\SOFTWARE\WOW6432NODE\QUIKNOWLEDGE /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
========= reg delete HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\weDownload Manager Pro /f =========
ERROR: Invalid syntax. Type "REG DELETE /?" for usage.
========= End of Reg: =========
C:\Users\Dan\AppData\Local\Temp\9104\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7NGZAZDW\ld2lxni6jd[1].htm => Moved successfully. "C:\Users\Dan\Documents\APNSetup.exe Win32/Bundled.Toolbar.Ask.E" => File/Directory not found.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 19, 2014 7:07:29 GMT -8
I'm sorry but I see I made some syntax errors in the last Fixlist. This should correct the problems. Sorry for the delay.
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script attached, needs to be the same file name as well (fixlist.txt), have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work for FRST (Right click on the attachment link (not the normal left click) and from the menu choose Save As or Save Link as.)
The script tells FRST what to do.
Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait. The script will be processed and your system restarted to complete the removal / breakage of the malware.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
|
|
|
Post by danshp1 on Nov 19, 2014 19:57:28 GMT -8
Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-11-2014 Ran by Dan at 2014-11-19 21:50:53 Run:4 Running from C:\Users\Dan\Desktop Loaded Profile: Dan (Available profiles: Dan) Boot Mode: Normal ==============================================
Content of fixlist: ***************** start Reg: reg delete "HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\weDownload Manager Pro" /f C:\Users\Dan\Documents\APNSetup.exe EmptyTemp: end
*****************
========= reg delete "HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\weDownload Manager Pro" /f =========
ERROR: The system was unable to find the specified registry key or value.
========= End of Reg: =========
C:\Users\Dan\Documents\APNSetup.exe => Moved successfully.
|
|