Help, my PC is infected!

[sw00p 0]

Hi

 

Can someone help please ? 

 

Also sorry for creating a second topic,  please tell me how to delete topics , and i will delete both topics when resolved

 

THANK YOU"!!!!!

 

 

scan_151014-091814.txt

FRST.txt

Addition.txt

[Kevin Zoll 309]

Your logs show that you are bypassing the Adobe activation servers. This leads me to believe that the Adobe software installed on this computer is not properly licensed.

You be required to uninstall all copies of unlicensed software, before any further assistance is given.

[sw00p 0]

Hi

 

How do i uninstall a program if i cant access  control panel/ programs/ uninstall programs list please ?

 

Thank you

 

Mark

[Kevin Zoll 309]

Press windows+R, type control, click OK.

[sw00p 0]

Hi

 

Thanks Kevin ..

 

but i can no longer access my desktop, just black screen with a mouse arrow

tryed to goto safe mode to uninstall, but it wont let me uninstall programs

 

can you remote access my pc ?

 

Thank you

 

Mark

[Kevin Zoll 309]

Mark,

If you can not get to the Desktop, then I will not be able to do a remote session.

Try restoring to last known good point.

[sw00p 0]

Hi Kevin

 

Thank you ..

 

Managed to get back to desktop thanks - can access my control panel, but cant access the uninstall option .....

 

any ideas?

 

you help is most appreciated

 

Thank you

[Kevin Zoll 309]

OK, let's try removing some of the malware.

Download AdwCleaner and save it on your desktop.

• Close all open programs and Internet browsers (you may want to print our or write down these instructions first).
• Double click on adwcleaner.exe to run the tool.
• Click on the Scan button.
• After the scan has finished, click on the Clean button.
• Confirm each time with OK.
• You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
• Attach that log file to your reply by clicking the More Reply Options button to the lower-right of where you type in your reply.

  NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\Policies\Explorer: [NoThumbnailCache] 1
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\Policies\Explorer: [DisableThumbnailsOnNetworkFolders] 1
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {2a0e8148-9fa2-11df-a4af-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {2a0e815b-9fa2-11df-a4af-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {4781bd47-e177-11e4-8e14-806e6f6e6963} - D:\ASRSetup.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {9f5fc4c2-a39b-11df-b94f-6cf049e88062} - G:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {c03178d5-dec4-11df-ae06-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {c03178da-dec4-11df-ae06-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {c0317916-dec4-11df-ae06-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {e3b596b1-d8ef-11df-921d-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {e3b596b5-d8ef-11df-921d-6cf049e88062} - F:\AutoRun.exe
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\...\MountPoints2: {e7eff7c0-7d1a-11e0-9bfa-806e6f6e6963} - H:\Setup.exe
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
Startup: C:\Users\justice\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MYOB Add-On Connector.lnk [2015-08-31]
ShortcutTarget: MYOB Add-On Connector.lnk -> C:\Users\justice\AppData\Local\Programs\MYOB\AddOnConnector\2.0.2015.3\MYOB.AccountRight.API.AddOnConnector.exe (No File)
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggWIQ5aUV1HGRhBIg0MTA0QFlYOeAsLURQXQFAWJg1ZBwsVGQ0FIk0FA1ADB0VXfVBdFElXTwhwJVxqBEoETUFQCExa
HKU\S-1-5-21-3737435474-803480667-4215855130-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggWIQ5aUV1HGRhBIg0MTA0QFlYOeAsLURQXQFAWJg1ZBwsVGQ0FIk0FA1ADB0VXfVBdFElXTwhwJVxqBEoETUFQCExa
SearchScopes: HKLM -> DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQxZVltBRQMbbVtaVQ1cFVQUIxQAUwpBDFNCJQxeVVgXE1EbeB9aFQQTSEcFME0FCFwEURNNfWpdBGsUUkBPNEpwFFs=&q={searchTerms}
SearchScopes: HKLM -> OldSearch URL = hxxp://dts.search-results.com/sr?src=ieb&appid=172&systemid=406&sr=0&q={searchTerms}
SearchScopes: HKLM -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,&q={searchTerms}
SearchScopes: HKLM -> {9BB47C17-9C68-4BB3-B188-DD9AF0FD2406} URL = hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQxZVltBRQMbbVtaVQ1cFVQUIxQAUwpBDFNCJQxeVVgXE1EbeB9aFQQTSEcFME0FCFwEURNNfWpdBGsUUkBPNEpwFFs=&q={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=AU&userid=fd135d78-9e96-addb-458d-1c2f3d511556&searchtype=ds&q={searchTerms}&installDate=01/08/2013
SearchScopes: HKLM-x32 -> {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=AU&userid=fd135d78-9e96-addb-458d-1c2f3d511556&searchtype=ds&q={searchTerms}&installDate=01/08/2013
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = 
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> OldSearch URL = hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} URL = hxxp://www1.delta-search.com/?q={searchTerms}&babsrc=SP_ss&mntrId=8CB46CF049E88062&affID=123978&tt=070813_wt3&tsp=4970
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {518C2F6D-188A-4749-8944-5D7E2645CA54} URL = hxxp://feed.snapdo.com/?publisher=Somoto&dpid=Somoto&co=AU&userid=fd135d78-9e96-addb-458d-1c2f3d511556&searchtype=ds&q={searchTerms}&installDate=01/08/2013
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {7F4EFF06-7032-458e-AE16-1C1D8255C28A} URL = hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {8777693B-16AF-400C-BF01-DB444894A032} URL = hxxp://www.mysearchresults.com/search?c=2854&t=02&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {A298082C-9DD2-4ED8-BD87-767829A2985E} URL = hxxp://searchinterneat-a.akamaihd.net/s?eq=U0EeE1xZE1oZB1ZEfQxZVltBRQMbbVtaVQ1cFVQUIxQAUwpBDFNCJQxeVVgXE1EbeB9aFQQTSEcFME0FCFwEURNNfWpdBGsUUkBPNEpwFFs=&q={searchTerms}
SearchScopes: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> {B0632B16-7445-4DC5-B70F-5E5760C9F38A} URL = hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a&site=shyosie&prd=set&q={searchTerms}
BHO-x32: No Name -> {c3cbfe5d-53c1-44f9-8442-6faaf005aaa9} ->  => No File
Toolbar: HKLM - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKLM-x32 - No Name - {ae07101b-46d4-4a98-af68-0333ea26e113} -  No File
Toolbar: HKU\S-1-5-21-3737435474-803480667-4215855130-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No File
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} -  No File
StartMenuInternet: IEXPLORE.EXE - C:\Program Files\Internet Explorer\iexplore.exe hxxp://www.istartsurf.com/?type=sc&ts=1444551539&z=eaf0f2d77c685d598a8b63cg5z0z4z6w0w7gecbeaz&from=icp&uid=WDCXWD3000HLFS-01G6U1_WD-WXC0CA9W8261W8261
FF DefaultSearchEngine: istartsurf
FF SelectedSearchEngine: istartsurf
FF Homepage: hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggWIQ5aUV1HGRhBIg0MTA0QFlYOeAsLURQXQFAWJg1ZBwsVGQ0FIk0FA18DB0VXfWFoKB8fHGZGJWtdEkwdVUZrNVs=
FF Keyword.URL: hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,&q=
FF user.js: detected! => C:\Users\justice\AppData\Roaming\Mozilla\Firefox\Profiles\h3qsl26j.default\user.js [2015-10-11]
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\BetterSurf\ff => not found
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Better-Surf\ff => not found
FF Extension: No Name - C:\Users\justice\AppData\Roaming\Mozilla\Firefox\Profiles\h3qsl26j.default\extensions\[email protected] [not found]
StartMenuInternet: FIREFOX.EXE - C:\Program Files (x86)\Mozilla Firefox\firefox.exe hxxp://www.istartsurf.com/?type=sc&ts=1444551539&z=eaf0f2d77c685d598a8b63cg5z0z4z6w0w7gecbeaz&from=icp&uid=WDCXWD3000HLFS-01G6U1_WD-WXC0CA9W8261W8261
CHR HomePage: Default -> hxxp://www-searching.com/?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,
CHR StartupUrls: Default -> "hxxp://www-searching.com/?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,"
CHR DefaultSearchURL: Default -> hxxp://www-searching.com/search.aspx?s=FABzamobl02140,75504dea-766c-4ad5-b3be-afb8e06e878a,&q={searchTerms}
CHR DefaultSearchKeyword: Default -> www-searching.com
CHR DefaultSuggestURL: Default -> hxxp://api.searchpredict.com/api/?rqtype=ffplugin&siteID=8661&dbCode=1&command={searchTerms}
CHR HKLM-x32\...\Chrome\Extension: [fgmmimiiefpjcgiehpfbjmijeleemnml] - C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta869\ch\VideoPlayerV3beta869.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [kflkmkpcfmipjkfmdpjoefebfmdapena] - C:\Program Files (x86)\MediaViewerV1\MediaViewerV1alpha361\ch\MediaViewerV1alpha361.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [lijmdfoimjjollmlfoikjhhoajobffdk] - C:\Program Files (x86)\MediaViewV1\MediaViewV1alpha855\ch\MediaViewV1alpha855.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [poheodfamflhhhdcmjfeggbgigeefaco] - C:\Program Files (x86)\Better-Surf\ch\Chrome.crx <not found>
S2 degyzidu; C:\Program Files (x86)\03000200-1444551716-0500-0006-000700080009\knsj275B.tmpfs [X]
U3 a7ri6vaq; C:\Windows\System32\Drivers\a7ri6vaq.sys [0 ] (Advanced Micro Devices) <==== ATTENTION (zero byte File/Folder)
2015-10-13 17:42 - 2015-10-14 08:10 - 00000000 ____D C:\Users\justice\AppData\Local\WebBar
2015-10-11 16:24 - 2015-10-13 17:38 - 00000000 ____D C:\Program Files\WebBar
2015-10-11 16:24 - 2015-10-11 16:24 - 00003784 _____ C:\windows\System32\Tasks\WebBarUpdateTask
2015-10-11 16:24 - 2015-10-11 16:24 - 00003260 _____ C:\windows\System32\Tasks\WebBarLaunchTask
2015-10-11 16:23 - 2015-10-13 20:08 - 00000000 ____D C:\Users\justice\AppData\Local\03000200-1444580585-0500-0006-000700080009
2015-10-11 16:23 - 2015-10-13 17:38 - 00000000 ____D C:\ProgramData\SearchModule
2015-10-11 16:23 - 2015-10-11 16:26 - 00000000 ____D C:\Users\justice\AppData\Local\DeskBar
2015-10-11 16:21 - 2015-10-13 20:08 - 00000000 ____D C:\Program Files (x86)\03000200-1444551716-0500-0006-000700080009
2015-10-11 16:21 - 2015-10-11 16:44 - 00000000 ____D C:\ProgramData\3a65b31f-fd78-451b-b99b-7557d173b95d
C:\ProgramData\{262E20B8-6E20-4CEF-B1FD-D022AB1085F5}.dat
C:\Users\justice\AppData\Local\Temp\avguidx.dll
C:\Users\justice\AppData\Local\Temp\lowproc.exe
C:\Users\justice\AppData\Local\Temp\MachineIdCreator.exe
C:\Users\justice\AppData\Local\Temp\MYOB_AccountRight.exe
C:\Users\justice\AppData\Local\Temp\oi_{1FEAFCF7-8BDF-444B-A6EB-746A51E637A5}.exe
C:\Users\justice\AppData\Local\Temp\SevenZip-setup-am.exe
C:\Users\justice\AppData\Local\Temp\SkypeSetup.exe
C:\Users\justice\AppData\Local\Temp\stubhelper.dll
C:\Users\justice\AppData\Local\Temp\Uninstall.exe
CustomCLSID: HKU\S-1-5-21-3737435474-803480667-4215855130-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\justice\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-3737435474-803480667-4215855130-1000_Classes\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InprocServer32 -> C:\Users\justice\AppData\Roaming\proical\comanmin.dll () <==== ATTENTION
Hosts: 127.0.0.1 lmlicenses.wip4.adobe.com
Hosts: 127.0.0.1 lm.licenses.adobe.com
Hosts: 127.0.0.1 na1r.services.adobe.com
Hosts: 127.0.0.1 hlrcv.stage.adobe.com
Hosts: 127.0.0.1 practivate.adobe.com 
Hosts: 127.0.0.1 activate.adobe.com
Task: {48C91F5A-6867-470E-8C39-1E574C92BC7B} - System32\Tasks\WebBarLaunchTask => C:\Program Files\WebBar\wbsvc.exe [2015-02-18] (Web Bar Media) <==== ATTENTION
Task: {94CCB680-DF20-4DCA-86F3-F4EAED856E97} - System32\Tasks\SMW_UpdateTask_Time_3338313739303732372d50372d5a456c37325a347841 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION
Task: {B7A0E629-C460-4F25-B4F4-2166959A32C6} - System32\Tasks\WebBarUpdateTask => C:\Program Files\WebBar\wbsvc.exe [2015-02-18] (Web Bar Media) <==== ATTENTION
Task: {E09908FA-F790-411B-A5A2-C74A8F8E95F4} - System32\Tasks\DTReg => C:\Users\justice\AppData\Roaming\DefaultTab\DefaultTab\DTReg.exe <==== ATTENTION
Task: {E9608520-B1CB-487C-BF41-7C78C2C6E50F} - \Smp -> No File <==== ATTENTION
AlternateDataStreams: C:\Windows:nlsPreferences
AlternateDataStreams: C:\ProgramData\TEMP:07F6D9E4
AlternateDataStreams: C:\ProgramData\TEMP:0B4227B4

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system to restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

[Kevin Zoll 309]

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.