dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 23, 2014 23:45:06 GMT -8
You may want to read carefully all of this message first before starting the steps.
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Download the zip file that is attached to your desktop. Double click on the file to open it and then drag the Fixlist.txt file to your desktop. Confirm that you want to extract the file to the desktop and then close the Fixlist.zip folder once the copy is complete. Please make sure that the file name is Fixlist.txt , have it on the Desktop, so that Fixlist.txt is next to FRST64.exe. Usually we will attach the text file directly but in your case there are some UNICODE characters in the text file that the forum does not like, so we will send the file to you this way.
DO NOT DRAG AND DROP to download the script, it won't work properly for FRST.
The script tells FRST what to do.
Start FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..."
When the tool opens click Yes to disclaimer. (if it still does)
Press the Fix button just once and wait. The script will be processed and your system restarted to complete the removal / breakage of the malware.
The tool will make a log on the Desktop (Fixlog.txt) please post it to your reply (attach or paste)
|
|
|
Post by lawnguy on Nov 24, 2014 15:13:33 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 24, 2014 15:32:32 GMT -8
How is your system running now? FIRSTDownload Junkware Removal Tool from here and run it on the desktop. Double click on the downloaded file on your desktop; it will open up a command window and run from there. When asked, press any key to let it run. This will create a log on the desktop; please attach or copy & paste the log in your next post (JRT.txt). SECONDRead carefullyDownload Adwcleaner from here to your desktop and run a scan. You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning). It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a Report button in the middle of the main window; click that and it will make the log file. Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions). ONE SCAN ONLY, PLEASEAttach or paste the log back here for review and further instructions. Thanks.
|
|
|
Post by lawnguy on Nov 24, 2014 16:34:03 GMT -8
Running a bit faster but I'm still getting the pop up notifications of outbound blocks. Although this time it isn't the usual dllhost syswow64 but instead is outbound from C:Program Files/internet explorer/iexplore.
JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Junkware Removal Tool (JRT) by Thisisu Version: 6.3.9 (11.15.2014:2) OS: Windows 7 Professional x64 Ran by Home on Mon 11/24/2014 at 19:20:51.45 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~ Services
~~~ Registry Values
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
~~~ Registry Keys
~~~ Files
~~~ Folders
~~~ Event Viewer Logs were cleared
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Scan was completed on Mon 11/24/2014 at 19:27:55.81 End of JRT log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
Post by lawnguy on Nov 24, 2014 16:40:29 GMT -8
adwcleaner log
# AdwCleaner v4.102 - Report created 24/11/2014 at 19:36:30 # Updated 23/11/2014 by Xplode # Database : 2014-11-24.1 [Live] # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Home - BATCH # Running from : C:\Users\Home\Desktop\AdwCleaner.exe # Option : Scan
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Mozilla Firefox v32.0.2 (x86 en-US)
-\\ Google Chrome v39.0.2171.65
[C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
*************************
AdwCleaner[R0].txt - [1019 octets] - [24/11/2014 19:36:30]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1079 octets] ##########
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 25, 2014 0:20:02 GMT -8
FIRSTPlease run AdwCleaner again (if you don't have it running from the last scan) and a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done). b) Make sure in your case all the items under each TAB are ticked / checked then. c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted. d) It should create a new log afterwards (with S0 in the name). e) Please attach or copy the log into your reply here. SECONDMalwarebytes' Anti-MalwarePlease start Malwarebytes Anti-Malware from either the Start Menu shortcut or your desktop Icon (if you have one). When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once the program has loaded and updated, select " Scan Now >>" to start the scan. The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. Please click on the Export Log button and select the As text file from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop). After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that. Please attach the report file to a post here; I will review the file and script what needs to be removed.
|
|
|
Post by lawnguy on Nov 25, 2014 6:17:28 GMT -8
Second AdwCleaner (SO) log
# AdwCleaner v4.102 - Report created 25/11/2014 at 09:12:56 # Updated 23/11/2014 by Xplode # Database : 2014-11-25.1 [Live] # Operating System : Windows 7 Professional Service Pack 1 (64 bits) # Username : Home - BATCH # Running from : C:\Users\Home\Desktop\AdwCleaner.exe # Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
***** [ Scheduled Tasks ] *****
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17420
-\\ Mozilla Firefox v32.0.2 (x86 en-US)
-\\ Google Chrome v39.0.2171.65
[C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms} [C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
*************************
AdwCleaner[R0].txt - [1159 octets] - [24/11/2014 19:36:30] AdwCleaner[R1].txt - [1219 octets] - [25/11/2014 09:10:14] AdwCleaner[S0].txt - [1146 octets] - [25/11/2014 09:12:56]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1206 octets] ##########
|
|
|
Post by lawnguy on Nov 25, 2014 6:32:49 GMT -8
The MBAM scan came up clean but I'm still seeing the pop ups showing blocked outbound malicious websites blocked. It says C Drive Program Files Internet Explorer/iexplore MBAM Log Malwarebytes Anti-Malware www.malwarebytes.orgScan Date: 11/25/2014 Scan Time: 9:21:00 AM Logfile: MBAM log.txt Administrator: Yes Version: 2.00.3.1025 Malware Database: v2014.11.25.06 Rootkit Database: v2014.11.22.01 License: Trial Malware Protection: Enabled Malicious Website Protection: Enabled Self-protection: Disabled OS: Windows 7 Service Pack 1 CPU: x64 File System: NTFS User: Home Scan Type: Threat Scan Result: Completed Objects Scanned: 359318 Time Elapsed: 7 min, 22 sec Memory: Enabled Startup: Enabled Filesystem: Enabled Archives: Enabled Rootkits: Disabled Heuristics: Enabled PUP: Enabled PUM: Enabled Processes: 0 (No malicious items detected) Modules: 0 (No malicious items detected) Registry Keys: 0 (No malicious items detected) Registry Values: 0 (No malicious items detected) Registry Data: 0 (No malicious items detected) Folders: 0 (No malicious items detected) Files: 0 (No malicious items detected) Physical Sectors: 0 (No malicious items detected) (end)
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on Nov 25, 2014 7:26:48 GMT -8
Is it always the same sites that are blocked or a set of rotating ones?
|
|
|
Post by lawnguy on Nov 25, 2014 17:17:06 GMT -8
Rotating ones
|
|