dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2014 11:34:50 GMT -8
Looks like the Addition.txt was not loaded properly somehow. Can you repost it to wikisend and provide a new link for it?
I see the problem but I need the Addition.txt log to complete the script.
|
|
|
Post by bander on Nov 21, 2014 11:46:14 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2014 12:21:04 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the script file that is attached by right clicking on it and selecting "Save Target As..." or "Save Link As ...." (depends on the browser you are using). Please make sure that the file type is set as Text File and the files name is Fixlist.txt , have it on the Desktop, so that fixlist.txt is next to FRST64.exe,
DO NOT DRAG AND DROP to download the script, it won't work properly for FRST.
The script tells FRST what to do.
Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..."
When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait. The script will be processed and your system restarted to complete the removal / breakage of the malware.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
|
|
|
Post by bander on Nov 21, 2014 15:59:14 GMT -8
Ok...it took a little over 2.5 hours to run thru and it completed successfully. I have attached the fixlog. System seems to be completely settled down now and I am ready for next steps.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2014 16:04:17 GMT -8
FIRSTDownload Junkware Removal Tool from here and run it on the desktop. Double click on the downloaded file on your desktop; it will open up a command window and run from there. When asked, press any key to let it run. This will create a log on the desktop; please attach or copy & paste the log in your next post (JRT.txt). SECONDRead carefullyDownload Adwcleaner from here to your desktop and run a scan. You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning). It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a Report button in the middle of the main window; click that and it will make the log file. Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions). ONE SCAN ONLY, PLEASEAttach or paste the log back here for review and further instructions. Thanks.
|
|
|
Post by bander on Nov 21, 2014 16:14:50 GMT -8
JRT successfully run.....moving onto Adwcleaner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.3.9 (11.15.2014:2) OS: Windows 7 Home Premium x64 Ran by Steven on Fri 11/21/2014 at 18:08:59.46 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
~~~ Registry Keys
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4} Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671}
~~~ Files
Successfully deleted: [File] "C:\Windows\wininit.ini"
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Fri 11/21/2014 at 18:12:05.10 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
Post by bander on Nov 21, 2014 16:18:51 GMT -8
Adwcleaner log
# AdwCleaner v4.101 - Report created 21/11/2014 at 18:16:32 # Updated 09/11/2014 by Xplode # Database : 2014-11-16.1 [Live] # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : Steven - STEVEN-HP # Running from : C:\Users\Steven\Desktop\AdwCleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
File Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk File Found : C:\Users\Public\Desktop\eBay.lnk Folder Found : C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Folder Found : C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKCU\Software\AppDataLow\Software\adawarebp Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43} Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43} Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Mozilla Firefox v30.0 (en-US)
-\\ Google Chrome v
[C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk
*************************
AdwCleaner[R0].txt - [2750 octets] - [21/11/2014 18:16:32]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [2810 octets] ##########
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2014 17:57:47 GMT -8
Please run AdwCleaner again (if you don't have it running from the last scan) and
a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done).
b) Make sure in your case all the items under each TAB are ticked / checked EXCEPT for the following:
***** [ Files / Folders ] ***** Folder Found : C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Folder Found : C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
***** [ Registry ] ***** Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk
***** [ Browsers ] ***** -\\ Google Chrome v [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\preferences] - Found [Extension] : mkfokfffehpeedafpekjeddnmnjhmcmk
c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted.
d) It should create a new log afterwards (with S0 in the name).
e) Please attach or copy the log into your reply here.
|
|
|
Post by bander on Nov 21, 2014 18:08:34 GMT -8
This step Complete
# AdwCleaner v4.101 - Report created 21/11/2014 at 20:02:10 # Updated 09/11/2014 by Xplode # Database : 2014-11-16.1 [Live] # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits) # Username : Steven - STEVEN-HP # Running from : C:\Users\Steven\Desktop\AdwCleaner.exe # Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
[x] Not Deleted : C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk File Deleted : C:\Users\Public\Desktop\eBay.lnk File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\eBay.lnk
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
[x] Not Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk [x] Not Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\mkfokfffehpeedafpekjeddnmnjhmcmk Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1 Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{B7FCA997-D0FB-4FE0-8AFD-255E89CF9671} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3} Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{EC29EDF6-AD3C-4E1C-A087-D6CB81400C43} Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Mozilla Firefox v30.0 (en-US)
-\\ Google Chrome v
[C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Polly\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms} [C:\Users\Steven\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R0].txt - [2918 octets] - [21/11/2014 18:16:32] AdwCleaner[R1].txt - [2978 octets] - [21/11/2014 19:59:54] AdwCleaner[S0].txt - [2787 octets] - [21/11/2014 20:02:10]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2847 octets] ##########
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 21, 2014 19:19:52 GMT -8
Malwarebytes' Anti-MalwarePlease download the latest version of Malwarebytes' Anti-Malware from HereDouble Click on the mbam-setup.exe file to install the application. Do not check on the Trial of Professional version. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once the program has loaded and updated, select " Scan Now >>" to start the scan. The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. Please click on the Export Log button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop). After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that. Please attach the report file to a post here; I will review the file and script what needs to be removed.
|
|