Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: New: Ads Popping Up Virus


(!)

kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is online now kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,637 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
21-Feb-2014, 04:51 AM #16
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the Codebox below into it:

Code:
ClearJavaCache::
Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Next,

We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

Run Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete
  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

close program

copy and paste the report in next reply

Next,

Download Security Check by screen317 from either of the following:
http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me see those logs, also give an update on any remaining issues or concerns..

Kevin
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
21-Feb-2014, 12:43 PM #17
Combo fix just ran CFScipt:
ComboFix 14-02-20.01 - Ziny 02/21/2014 11:45:22.2.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3934.1240 [GMT -5:00]
Running from: c:\users\Ziny\Downloads\ComboFix.exe
Command switches used :: c:\users\Ziny\Downloads\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2014-01-21 to 2014-02-21 )))))))))))))))))))))))))))))))
.
.
2014-02-21 17:00 . 2014-02-21 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2014-02-21 16:30 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D664027C-C7D0-4CB3-982E-E54156218817}\mpengine.dll
2014-02-21 03:47 . 2014-02-21 03:47 17858952 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2014-02-20 15:37 . 2014-02-20 22:19 -------- d-----w- C:\FRST
2014-02-20 03:08 . 2014-02-20 03:08 -------- d-----w- c:\windows\ERUNT
2014-02-20 02:11 . 2014-02-20 02:18 -------- d-----w- C:\AdwCleaner
2014-02-18 01:46 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
2014-02-13 19:21 . 2013-12-05 04:48 1869824 ----a-w- c:\windows\system32\msxml3.dll
2014-02-13 19:21 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-02-21 03:47 . 2012-04-13 19:18 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2014-02-21 03:47 . 2011-06-17 16:29 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2014-02-16 08:06 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
2013-12-18 11:13 . 2010-08-22 15:14 270496 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMpTtray.exe"="c:\program files (x86)\Sony\VAIO Media plus\VMpTtray.exe" [2009-01-20 99624]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"Driver Mender"="c:\program files (x86)\Driver Mender\Driver Mender\DriverMender.exe" [2012-08-28 3574712]
"iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-12-17 59872]
"ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-12-17 59872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ru n]
"SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2009-03-06 77824]
"RegistrationReminder"="c:\program files\Sony\First Experience\OOBEFcdRegistration.exe" [2009-04-14 2054448]
"VAIORegistration"="c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2008-06-26 16384]
"VAIOSurvey"="c:\program files (x86)\Sony\VAIO Survey\VAIO Sat Survey.exe" [2008-07-25 385024]
"ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2008-12-18 317288]
"ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-09-18 152392]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
.
c:\users\Ziny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtM gr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetM gr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symant ec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSv c]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - NisDrv
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2014-02-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 03:47]
.
2014-02-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-849648631-714065091-2884687382-1000Core.job
- c:\users\Ziny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 07:02]
.
2014-02-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-849648631-714065091-2884687382-1000UA.job
- c:\users\Ziny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 07:02]
.
2014-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-27 01:39]
.
2014-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-27 01:39]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-01-06 6956576]
"Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-01-06 1833504]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2009-04-13 187904]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-13 154648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-13 227352]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-13 202264]
"AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://espn.com/
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = <local>;*.local
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
Trusted Zone: cmg.com\*.pearson
Trusted Zone: myitlab.com
Trusted Zone: pearsoned.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Ziny\AppData\Roaming\Mozilla\Firefox\Profiles\k0p8okjv.default\
FF - prefs.js: browser.startup.homepage - www.espn.com
FF - prefs.js: keyword.URL - hxxp://www.basicserve.com/?prt=bscsrvgup3&sp=google&keywords=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
AddRemove-d3d35679-b737-410b-b7b7-f11c6d1a8fe8 - c:\program files (x86)\Re-markit\Uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SampleCollector]
"ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_ 0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_70_ActiveX.ex e"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_ 0_0_70_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.ex e"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.12"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00, 59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00, \
.
Completion time: 2014-02-21 12:04:58
ComboFix-quarantined-files.txt 2014-02-21 17:04
ComboFix2.txt 2014-02-21 00:42
.
Pre-Run: 166,178,828,288 bytes free
Post-Run: 163,193,618,432 bytes free
.
- - End Of File - - 4AE6287D5376BC8E112FF9258117D6DD
5C616939100B85E558DA92B899A0FC36

Going to do the next scan next just to give you a heads up!
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
21-Feb-2014, 03:38 PM #18
ESET Scan found 30 threats

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Re-markit155.exe.vir a variant of Win32/AdWare.AD150.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Re-markit_wd.exe.vir a variant of Win32/AdWare.AD150.A application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\ReMarkit_up.exe.vir a variant of Win32/AdWare.AddLyrics.AF application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Uninstall.exe.vir Win32/AdWare.AddLyrics.AE application
C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BabMaint.x. vir a variant of Win32/Toolbar.Babylon.I potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BabylonChro meToolBar.dll.vir Win32/Toolbar.Babylon.Q potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BUSolution. dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.7_0\BabylonChrom eToolBar.dll.vir a variant of Win32/Toolbar.Babylon.Q potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Roaming\Complitly\Complitly.d ll.vir a variant of Win32/Complitly.A potentially unwanted application
C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js Win32/TrojanDownloader.Tracur.V trojan
C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
C:\Users\Ziny\Downloads\Babylon9_setup.exe a variant of Win32/Toolbar.Babylon.C potentially unwanted application
C:\Users\Ziny\Downloads\DownloadManagerSetup.exe a variant of Win32/InstallCore.BF potentially unwanted application
C:\Users\Ziny\Downloads\mightymagoo-setup.exe Win32/DownloadAdmin.A.Gen potentially unwanted application
C:\Users\Ziny\Downloads\PageRageSetupv2.exe multiple threats
C:\Users\Ziny\Downloads\playpickle-setup.exe Win32/DownloadAdmin.A.Gen potentially unwanted application
C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe Win32/Toolbar.Zugo potentially unwanted application
C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe Win32/DownWare.S potentially unwanted application
C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe Win32/TrojanDownloader.Whizelown.J trojan
C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe Win32/TrojanDownloader.Whizelown.J trojan
C:\Users\Ziny\Downloads\YontooClientSetup(2).exe multiple threats
C:\Users\Ziny\Downloads\YontooClientSetup(3).exe multiple threats
C:\Users\Ziny\Downloads\YontooClientSetup(4).exe multiple threats
C:\Users\Ziny\Downloads\YontooClientSetup(5).exe multiple threats
C:\Users\Ziny\Downloads\YontooClientSetup.exe multiple threats
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe multiple threats
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe multiple threats
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe multiple threats

Symantec popped up with 2 more trojans but cleaned them.
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is online now kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,637 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
21-Feb-2014, 04:44 PM #19
Did you run Security Check, can I see that log
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
21-Feb-2014, 04:47 PM #20
Ah dang totally forgot to, doing it now!!
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
21-Feb-2014, 04:52 PM #21
Results of screen317's Security Check version 0.99.79
Windows Vista Service Pack 2 x64 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.75.0.1300
Java 7 Update 45
Java version out of Date!
Adobe Flash Player 12.0.0.70
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (27.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 1 %
````````````````````End of Log``````````````````````

Computer seems to be running faster than yesterday and no more pop ups. Are all those programs that were infected gone? the programs that ESET scan found
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is online now kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,637 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
21-Feb-2014, 05:01 PM #22
Run the following:

Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

http://oldtimer.geekstogo.com/OTM.exe.
http://www.itxassociates.com/OT-Tools/OTM.com
http://www.itxassociates.com/OT-Tools/OTM.exe

Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...
  • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

    Code:
    :Files
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js
    C:\Users\Ziny\Downloads\Babylon9_setup.exe
    C:\Users\Ziny\Downloads\DownloadManagerSetup.exe
    C:\Users\Ziny\Downloads\mightymagoo-setup.exe
    C:\Users\Ziny\Downloads\PageRageSetupv2.exe
    C:\Users\Ziny\Downloads\playpickle-setup.exe
    C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe
    C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe 
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe 
    C:\Users\Ziny\Downloads\YontooClientSetup(2).exe
    C:\Users\Ziny\Downloads\YontooClientSetup(3).exe 
    C:\Users\Ziny\Downloads\YontooClientSetup(4).exe
    C:\Users\Ziny\Downloads\YontooClientSetup(5).exe
    C:\Users\Ziny\Downloads\YontooClientSetup.exe
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe
    :Commands
    [EmptyTemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post that log, if no more issues we can clean up...
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
21-Feb-2014, 05:28 PM #23
All processes killed
========== FILES ==========
C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js moved successfully.
C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js moved successfully.
C:\Users\Ziny\Downloads\Babylon9_setup.exe moved successfully.
C:\Users\Ziny\Downloads\DownloadManagerSetup.exe moved successfully.
C:\Users\Ziny\Downloads\mightymagoo-setup.exe moved successfully.
C:\Users\Ziny\Downloads\PageRageSetupv2.exe moved successfully.
C:\Users\Ziny\Downloads\playpickle-setup.exe moved successfully.
C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe moved successfully.
C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe moved successfully.
C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe moved successfully.
C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe moved successfully.
C:\Users\Ziny\Downloads\YontooClientSetup(2).exe moved successfully.
C:\Users\Ziny\Downloads\YontooClientSetup(3).exe moved successfully.
C:\Users\Ziny\Downloads\YontooClientSetup(4).exe moved successfully.
C:\Users\Ziny\Downloads\YontooClientSetup(5).exe moved successfully.
C:\Users\Ziny\Downloads\YontooClientSetup.exe moved successfully.
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe moved successfully.
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe moved successfully.
C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: AppData
->Temp folder emptied: 0 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: Ziny
->Temp folder emptied: 517758 bytes
->Temporary Internet Files folder emptied: 5529051 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 90770896 bytes
->Google Chrome cache emptied: 113039159 bytes
->Flash cache emptied: 506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7120 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\ Temporary Internet Files folder emptied: 2885445 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows \Temporary Internet Files folder emptied: 35799114 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 237.00 mb


OTM by OldTimer - Version 3.1.21.0 log created on 02212014_171246

Files moved on Reboot...

Registry entries deleted on Reboot...

i rebooted already
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is online now kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,637 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
21-Feb-2014, 05:51 PM #24
Ok do the following if there are no remaining issues or concerns..

Uninstall adwcleaner.exe (unless you want to keep it)
  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Uninstall
  • Click Yes at Would you like to Uninstall Adwcleaner

Next,

We need to remove FRST, first it is very important to deal with its own Quarantine folder by using FRST itself..

OK, we continue:

Delete any fixlist.txt file previously used, continue:

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

Next,

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

Next,

Remove Combofix now that we're done with it
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")

  • Please follow the prompts to uninstall Combofix.
  • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

Next,

Download "Delfix by Xplode" and save it to your desktop.

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:
  • Remove disinfection tools

Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Let me know if those steps complete, also give an update on the status of your system...

Thanks,

Kevin
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
Zinyzo's Avatar
Zinyzo Zinyzo is offline
Computer Specs
Member with 40 posts.
THREAD STARTER
 
Join Date: Mar 2010
Experience: Beginner
22-Feb-2014, 01:09 PM #25
Alright I delted those programs. Everything seems to be running fine! Thank you so much for the help!!!!!
kevinf80's Avatar
kevinf80   (Kevin) kevinf80 is online now kevinf80 is authorized to help remove malware. kevinf80 has a Profile Picture
Computer Specs
Malware Removal Specialist with 9,637 posts.
 
Join Date: Mar 2006
Location: Sunderland UK
Experience: Intermediate
22-Feb-2014, 04:37 PM #26
You`re are very welcome, if no remaining issues hit the "Mark Solved" tab at the top of the thread...

Read the following link to fully understand PC security and best practices, you may find it useful....

http://www.bleepingcomputer.com/foru.../#entry2316629

Take care,

Kevin
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑