1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

New: Ads Popping Up Virus

Discussion in 'Virus & Other Malware Removal' started by Zinyzo, Feb 18, 2014.

Thread Status:
Not open for further replies.
Advertisement
  1. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,146
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the Codebox below into it:

    Code:
    ClearJavaCache::
    
    Save this as CFScript.txt, and as Type: All Files (*.*) in the same location as ComboFix.exe

    [​IMG]

    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

    Next,

    We need to run an online AV scan to ensure there are no remnants of any infection left on your system that may have been missed. This scan is very thorough and well worth running, it can take several hours please be patient and let it complete:

    Run Eset Online Scanner

    **Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

    Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • click on the Run ESET Online Scanner button
    • Tick the box next to YES, I accept the Terms of Use.
      Click Start
    • When asked, allow the add/on to be installed
      Click Start
    • Make sure that the option Remove found threats is unticked
    • Click on Advanced Settings, ensure the options
    • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
      Click Scan
    • wait for the virus definitions to be downloaded
    • Wait for the scan to finish

    When the scan is complete

    • If no threats were found
    • put a checkmark in "Uninstall application on close"
    • close program
    • report to me that nothing was found

    If threats were found

    • click on "list of threats found"
    • click on "export to text file" and save it as ESET SCAN and save to the desktop
    • Click on back
    • put a checkmark in "Uninstall application on close"
    • click on finish

    close program

    copy and paste the report in next reply

    Next,

    Download Security Check by screen317 from either of the following:
    http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe
    Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
    Double click SecurityCheck.exe (Vista or Windows 7 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
    A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    Let me see those logs, also give an update on any remaining issues or concerns..

    Kevin
     
  2. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    Combo fix just ran CFScipt:
    ComboFix 14-02-20.01 - Ziny 02/21/2014 11:45:22.2.2 - x64
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3934.1240 [GMT -5:00]
    Running from: c:\users\Ziny\Downloads\ComboFix.exe
    Command switches used :: c:\users\Ziny\Downloads\CFScript.txt
    SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2014-01-21 to 2014-02-21 )))))))))))))))))))))))))))))))
    .
    .
    2014-02-21 17:00 . 2014-02-21 17:00 -------- d-----w- c:\users\Default\AppData\Local\temp
    2014-02-21 16:30 . 2014-02-06 09:01 10536864 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{D664027C-C7D0-4CB3-982E-E54156218817}\mpengine.dll
    2014-02-21 03:47 . 2014-02-21 03:47 17858952 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
    2014-02-20 15:37 . 2014-02-20 22:19 -------- d-----w- C:\FRST
    2014-02-20 03:08 . 2014-02-20 03:08 -------- d-----w- c:\windows\ERUNT
    2014-02-20 02:11 . 2014-02-20 02:18 -------- d-----w- C:\AdwCleaner
    2014-02-18 01:46 . 2010-04-06 08:34 345984 ----a-w- c:\windows\system32\drivers\netio.sys
    2014-02-13 19:21 . 2013-12-05 04:48 1869824 ----a-w- c:\windows\system32\msxml3.dll
    2014-02-13 19:21 . 2013-12-05 02:12 1248768 ----a-w- c:\windows\SysWow64\msxml3.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2014-02-21 03:47 . 2012-04-13 19:18 692616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
    2014-02-21 03:47 . 2011-06-17 16:29 71048 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
    2014-02-16 08:06 . 2006-11-02 12:35 88567024 ----a-w- c:\windows\system32\mrt.exe
    2013-12-18 11:13 . 2010-08-22 15:14 270496 ------w- c:\windows\system32\MpSigStub.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "VMpTtray.exe"="c:\program files (x86)\Sony\VAIO Media plus\VMpTtray.exe" [2009-01-20 99624]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
    "Driver Mender"="c:\program files (x86)\Driver Mender\Driver Mender\DriverMender.exe" [2012-08-28 3574712]
    "iCloudServices"="c:\program files (x86)\Common Files\Apple\Internet Services\iCloudServices.exe" [2012-12-17 59872]
    "ApplePhotoStreams"="c:\program files (x86)\Common Files\Apple\Internet Services\ApplePhotoStreams.exe" [2012-12-17 59872]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
    "SmartWiHelper"="c:\program files\Sony Corporation\SmartWi Connection Utility\SmartWiHelper.exe" [2009-03-06 77824]
    "RegistrationReminder"="c:\program files\Sony\First Experience\OOBEFcdRegistration.exe" [2009-04-14 2054448]
    "VAIORegistration"="c:\program files\Sony\First Experience\WelcomeLauncher.exe" [2008-06-26 16384]
    "VAIOSurvey"="c:\program files (x86)\Sony\VAIO Survey\VAIO Sat Survey.exe" [2008-07-25 385024]
    "ISBMgr.exe"="c:\program files (x86)\Sony\ISB Utility\ISBMgr.exe" [2008-12-18 317288]
    "ccApp"="c:\program files (x86)\Common Files\Symantec Shared\ccApp.exe" [2008-02-01 115560]
    "APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-09-13 59720]
    "Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
    "Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
    "QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2013-05-01 421888]
    "iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2013-09-18 152392]
    "SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
    .
    c:\users\Ziny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files (x86)\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
    "LoadAppInit_DLLs"=1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - NisDrv
    .
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    Themes
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2014-02-21 c:\windows\Tasks\Adobe Flash Player Updater.job
    - c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-13 03:47]
    .
    2014-02-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-849648631-714065091-2884687382-1000Core.job
    - c:\users\Ziny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 07:02]
    .
    2014-02-21 c:\windows\Tasks\FacebookUpdateTaskUserS-1-5-21-849648631-714065091-2884687382-1000UA.job
    - c:\users\Ziny\AppData\Local\Facebook\Update\FacebookUpdate.exe [2011-08-19 07:02]
    .
    2014-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-27 01:39]
    .
    2014-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files (x86)\Google\Update\GoogleUpdate.exe [2010-07-27 01:39]
    .
    .
    --------- X64 Entries -----------
    .
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-01-06 6956576]
    "Skytel"="c:\program files\Realtek\Audio\HDA\Skytel.exe" [2009-01-06 1833504]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2009-04-13 187904]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-13 154648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-13 227352]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-13 202264]
    "AdobeAAMUpdater-1.0"="c:\program files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
    .
    ------- Supplementary Scan -------
    .
    uLocal Page = c:\windows\system32\blank.htm
    uStart Page = hxxp://espn.com/
    mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
    mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=SNNT&bmod=SNNT
    mLocal Page = c:\windows\SysWOW64\blank.htm
    uInternet Settings,ProxyOverride = <local>;*.local
    IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office12\EXCEL.EXE/3000
    Trusted Zone: cmg.com\*.pearson
    Trusted Zone: myitlab.com
    Trusted Zone: pearsoned.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Ziny\AppData\Roaming\Mozilla\Firefox\Profiles\k0p8okjv.default\
    FF - prefs.js: browser.startup.homepage - www.espn.com
    FF - prefs.js: keyword.URL - hxxp://www.basicserve.com/?prt=bscsrvgup3&sp=google&keywords=
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    Toolbar-10 - (no file)
    AddRemove-d3d35679-b737-410b-b7b7-f11c6d1a8fe8 - c:\program files (x86)\Re-markit\Uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\SampleCollector]
    "ImagePath"="\"c:\program files\Sony\VAIO Care\collsvc.exe\" \"/service\" \"/counter=\Processor(_Total)\% Processor Time:5\" \"/counter=\PhysicalDisk(_Total)\Disk Bytes/sec:5\" \"/counter=\Network Interface(*)\Bytes Total/sec:5\" \"/directory=inteldata\""
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_70_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_12_0_0_70_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe,-101"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
    "Enabled"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_12_0_0_70_ActiveX.exe"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Shockwave Flash Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
    @="0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
    @="ShockwaveFlash.ShockwaveFlash.12"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="ShockwaveFlash.ShockwaveFlash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    @="Macromedia Flash Factory Object"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx"
    "ThreadingModel"="Apartment"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
    @="FlashFactory.FlashFactory.1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
    @="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_12_0_0_70.ocx, 1"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
    @="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
    @="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
    @="FlashFactory.FlashFactory"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker5"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
    @Denied: (A 2) (Everyone)
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
    @="Shockwave Flash"
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
    @Denied: (A 2) (Everyone)
    @=""
    .
    [HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
    @="FlashBroker"
    .
    [HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
    00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
    .
    Completion time: 2014-02-21 12:04:58
    ComboFix-quarantined-files.txt 2014-02-21 17:04
    ComboFix2.txt 2014-02-21 00:42
    .
    Pre-Run: 166,178,828,288 bytes free
    Post-Run: 163,193,618,432 bytes free
    .
    - - End Of File - - 4AE6287D5376BC8E112FF9258117D6DD
    5C616939100B85E558DA92B899A0FC36

    Going to do the next scan next just to give you a heads up!
     
  3. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    ESET Scan found 30 threats

    C:\AdwCleaner\Quarantine\C\Program Files (x86)\Conduit\Community Alerts\Alert.dll.vir Win32/Toolbar.Conduit.Y potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Re-markit155.exe.vir a variant of Win32/AdWare.AD150.A application
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Re-markit_wd.exe.vir a variant of Win32/AdWare.AD150.A application
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\ReMarkit_up.exe.vir a variant of Win32/AdWare.AddLyrics.AF application
    C:\AdwCleaner\Quarantine\C\Program Files (x86)\Re-markit\Uninstall.exe.vir Win32/AdWare.AddLyrics.AE application
    C:\AdwCleaner\Quarantine\C\ProgramData\Tarma Installer\{DE3B7BF9-0770-4104-BC0B-B1CCCCE2F053}\_Setupx.dll.vir a variant of Win32/Adware.Yontoo.B application
    C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BabMaint.x.vir a variant of Win32/Toolbar.Babylon.I potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BabylonChromeToolBar.dll.vir Win32/Toolbar.Babylon.Q potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.11_0\BUSolution.dll.vir a variant of Win32/Toolbar.Babylon.P potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Extensions\dhkplhfnhceodhffomolpfigojocbpcb\1.7_0\BabylonChromeToolBar.dll.vir a variant of Win32/Toolbar.Babylon.Q potentially unwanted application
    C:\AdwCleaner\Quarantine\C\Users\Ziny\AppData\Roaming\Complitly\Complitly.dll.vir a variant of Win32/Complitly.A potentially unwanted application
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js Win32/TrojanDownloader.Tracur.V trojan
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js Win32/TrojanDownloader.Tracur.AD trojan
    C:\Users\Ziny\Downloads\Babylon9_setup.exe a variant of Win32/Toolbar.Babylon.C potentially unwanted application
    C:\Users\Ziny\Downloads\DownloadManagerSetup.exe a variant of Win32/InstallCore.BF potentially unwanted application
    C:\Users\Ziny\Downloads\mightymagoo-setup.exe Win32/DownloadAdmin.A.Gen potentially unwanted application
    C:\Users\Ziny\Downloads\PageRageSetupv2.exe multiple threats
    C:\Users\Ziny\Downloads\playpickle-setup.exe Win32/DownloadAdmin.A.Gen potentially unwanted application
    C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe Win32/Toolbar.Zugo potentially unwanted application
    C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe Win32/DownWare.S potentially unwanted application
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe Win32/TrojanDownloader.Whizelown.J trojan
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe Win32/TrojanDownloader.Whizelown.J trojan
    C:\Users\Ziny\Downloads\YontooClientSetup(2).exe multiple threats
    C:\Users\Ziny\Downloads\YontooClientSetup(3).exe multiple threats
    C:\Users\Ziny\Downloads\YontooClientSetup(4).exe multiple threats
    C:\Users\Ziny\Downloads\YontooClientSetup(5).exe multiple threats
    C:\Users\Ziny\Downloads\YontooClientSetup.exe multiple threats
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe multiple threats
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe multiple threats
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe multiple threats

    Symantec popped up with 2 more trojans but cleaned them.
     
  4. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,146
    Did you run Security Check, can I see that log
     
  5. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    Ah dang totally forgot to, doing it now!!
     
  6. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    Results of screen317's Security Check version 0.99.79
    Windows Vista Service Pack 2 x64 (UAC is enabled)
    Internet Explorer 9
    Internet Explorer 8
    ``````````````Antivirus/Firewall Check:``````````````
    Windows Firewall Enabled!
    WMI entry may not exist for antivirus; attempting automatic update.
    `````````Anti-malware/Other Utilities Check:`````````
    Malwarebytes Anti-Malware version 1.75.0.1300
    Java 7 Update 45
    Java version out of Date!
    Adobe Flash Player 12.0.0.70
    Adobe Reader 9 Adobe Reader out of Date!
    Mozilla Firefox (27.0.1)
    ````````Process Check: objlist.exe by Laurent````````
    Norton ccSvcHst.exe
    `````````````````System Health check`````````````````
    Total Fragmentation on Drive C: 1 %
    ````````````````````End of Log``````````````````````

    Computer seems to be running faster than yesterday and no more pop ups. Are all those programs that were infected gone? the programs that ESET scan found
     
  7. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,146
    Run the following:

    Download OTM from either of the following links and save to your Desktop: (If your security alerts to OTM, either accept the alert or turn off security to allow OTM to run)

    http://oldtimer.geekstogo.com/OTM.exe.
    http://www.itxassociates.com/OT-Tools/OTM.com
    http://www.itxassociates.com/OT-Tools/OTM.exe

    Double click OTM.exe to start the tool. Vista or Windows 7 users accepy UAC alert. Be aware all processes will be stopped during run, also Desktop will disappear, this will be put back on completion.... If your security alerts to OTM either, accept the alert or turn off security until OTM completes...
    • Copy the text from the code box belowbelow to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy). Ensure to start with and include the colon before Files :Files

      Code:
      :Files
      C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js
      C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js
      C:\Users\Ziny\Downloads\Babylon9_setup.exe
      C:\Users\Ziny\Downloads\DownloadManagerSetup.exe
      C:\Users\Ziny\Downloads\mightymagoo-setup.exe
      C:\Users\Ziny\Downloads\PageRageSetupv2.exe
      C:\Users\Ziny\Downloads\playpickle-setup.exe
      C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe
      C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe
      C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe 
      C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe 
      C:\Users\Ziny\Downloads\YontooClientSetup(2).exe
      C:\Users\Ziny\Downloads\YontooClientSetup(3).exe 
      C:\Users\Ziny\Downloads\YontooClientSetup(4).exe
      C:\Users\Ziny\Downloads\YontooClientSetup(5).exe
      C:\Users\Ziny\Downloads\YontooClientSetup.exe
      C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe
      C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe
      C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe
      :Commands
      [EmptyTemp]
      
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
    • Click the red [​IMG] button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTM
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

    If the machine reboots, the Results log can be found here:

    c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

    Where mmddyyyy_hhmmss is the date of the tool run.

    Post that log, if no more issues we can clean up...
     
  8. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    All processes killed
    ========== FILES ==========
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\background.js moved successfully.
    C:\Users\Ziny\AppData\Local\Google\Chrome\User Data\Default\Default\aagbdfgcdjdddfdadfdhdagedhdidfdd\ContentScript.js moved successfully.
    C:\Users\Ziny\Downloads\Babylon9_setup.exe moved successfully.
    C:\Users\Ziny\Downloads\DownloadManagerSetup.exe moved successfully.
    C:\Users\Ziny\Downloads\mightymagoo-setup.exe moved successfully.
    C:\Users\Ziny\Downloads\PageRageSetupv2.exe moved successfully.
    C:\Users\Ziny\Downloads\playpickle-setup.exe moved successfully.
    C:\Users\Ziny\Downloads\rooftopconfessions-us-dtx.exe moved successfully.
    C:\Users\Ziny\Downloads\Video2MP3_Free_Download_Manager.exe moved successfully.
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo6060_en.exe moved successfully.
    C:\Users\Ziny\Downloads\WhiteSmokeWriterGeo9095_en.exe moved successfully.
    C:\Users\Ziny\Downloads\YontooClientSetup(2).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooClientSetup(3).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooClientSetup(4).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooClientSetup(5).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooClientSetup.exe moved successfully.
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(2).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals(3).exe moved successfully.
    C:\Users\Ziny\Downloads\YontooSetup-DropDownDeals.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: AppData
    ->Temp folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: Ziny
    ->Temp folder emptied: 517758 bytes
    ->Temporary Internet Files folder emptied: 5529051 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 90770896 bytes
    ->Google Chrome cache emptied: 113039159 bytes
    ->Flash cache emptied: 506 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 7120 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 2885445 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 35799114 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 237.00 mb


    OTM by OldTimer - Version 3.1.21.0 log created on 02212014_171246

    Files moved on Reboot...

    Registry entries deleted on Reboot...

    i rebooted already
     
  9. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,146
    Ok do the following if there are no remaining issues or concerns..

    Uninstall adwcleaner.exe (unless you want to keep it)
    • Please close all open programs and internet browsers.
    • Double click on adwcleaner.exe to run the tool.
    • Click on Uninstall
    • Click Yes at Would you like to Uninstall Adwcleaner

    Next,

    We need to remove FRST, first it is very important to deal with its own Quarantine folder by using FRST itself..

    OK, we continue:

    Delete any fixlist.txt file previously used, continue:

    Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

    NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

    Run FRST and press the Fix button just once and wait.
    The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful.

    Next,

    Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

    Next,

    Remove Combofix now that we're done with it
    • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
    • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
      [​IMG]
    • Please follow the prompts to uninstall Combofix.
    • You will then receive a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

    Next,

    Download "Delfix by Xplode" and save it to your desktop.

    "Delfix link mirror"

    Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

    Make Sure the following items are checked:

    • Remove disinfection tools

    Now click on "Run" and wait patiently until the tool has completed.

    The tool will create a log when it has completed. We don't need you to post this.

    Let me know if those steps complete, also give an update on the status of your system...

    Thanks,

    Kevin
     

    Attached Files:

  10. Zinyzo

    Zinyzo Thread Starter

    Joined:
    Mar 3, 2010
    Messages:
    40
    Alright I delted those programs. Everything seems to be running fine! Thank you so much for the help!!!!!
     
  11. kevinf80

    kevinf80 Malware Specialist

    Joined:
    Mar 21, 2006
    Messages:
    10,146
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1120262