Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help

User Tag List

Your Computer is Infected with a Virus -Call this Number.

This is a discussion on Your Computer is Infected with a Virus -Call this Number. within the Virus/Trojan/Spyware Help forums, part of the Tech Support Forum category. There is virus that is occurring that pops up a webpage that is very difficullt to close. It pertends to


Closed Thread
 
Thread Tools Search this Thread
Old 05-31-2017, 05:06 PM   #1
Registered Member
 
Join Date: Nov 2007
Posts: 10
OS: Win-10



There is virus that is occurring that pops up a webpage that is very difficullt to close. It pertends to be a Microsoft Support site, but uses what seem to be random letter .us domains.

Examples-

lvsdigw._us
ffwzbv._us

Underbars added for safety.

OS = WIN-XT
Browser = Firefox 52.1.2
Computer = Dell Insperon 530

It's my mother's computer, she's 93, and doesn't need much.

---------------------
DDS.txt File -
---------------------
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by SRB1 at 18:55:37 on 2017-05-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3317.1895 [GMT -5:00]
.
AV: Kaspersky Internet Security *Enabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avanquest\PowerDesk\PDHookServer.exe
C:\Program Files\Raxco\PerfectUpdater\perfectupdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Raxco\Shared\PDEngine.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 17.0.0\avpui.exe
C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe
E:\Internet\FireFox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4071012
uSearch Bar = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uSearch Page = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
uDefault_Page_URL = Google
mSearchAssistant = hxxp://www.google.com/hws/sb/dell-usuk/en/side.html?channel=us
BHO: Kaspersky Protection: {2E38825B-8815-42CF-9126-C58BC28D4591} - c:\program files\kaspersky lab\kaspersky internet security 17.0.0\ieext\ie_plugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\program files\dell\bae\BAE.dll
TB: Kaspersky Protection Toolbar: {093F479D-712E-46CD-9E06-62E734A05F68} - c:\program files\kaspersky lab\kaspersky internet security 17.0.0\ieext\ie_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PDHookServer] c:\program files\avanquest\powerdesk\PDHookServer.exe
uRun: [PUReminder] c:\program files\raxco\perfectupdater\perfectupdater.exe -rem
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [SystemTray] SysTray.Exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:0
uPolicies-Explorer: NoViewOnDrive = dword:0
uPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Explorer: NoActiveDesktopChanges = dword:1
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1267575219265
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.2.1
TCP: Interfaces\{7EDC1C43-1165-44ED-919E-0F4619205565} : NameServer = 207.177.24.2,207.177.24.3,8.8.8.8
TCP: Interfaces\{7EDC1C43-1165-44ED-919E-0F4619205565} : DHCPNameServer = 192.168.2.1
TCP: Interfaces\{CE43CC31-1043-48C7-99B7-776480DD1CDD} : NameServer = 207.177.24.2,167.142.225.3
TCP: Interfaces\{CE43CC31-1043-48C7-99B7-776480DD1CDD} : DHCPNameServer = 192.168.2.1
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs= c:\windows\system32\FileMonitor32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\srb1\application data\mozilla\firefox\profiles\dcnu8t2q.default-1461271856187\
FF - prefs.js: browser.startup.homepage - file:///E:/Internet/momhome.htm
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.33.5\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.50428.0\npctrlui.dll
FF - plugin: c:\windows\system32\adobe\director\np32dsw_1228198.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_24_0_0_221.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin2.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin3.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin4.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin5.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin6.dll
FF - plugin: e:\programs\quicktime\plugins\npqtplugin7.dll
.
============= SERVICES / DRIVERS ===============
.
R0 cm_km;AO Kaspersky Lab Cryptographic Module x86 (56 bit);c:\windows\system32\drivers\cm_km.sys [2016-6-10 170840]
R0 hotcore2;hotcore2;c:\windows\system32\drivers\hotcore2.sys [2007-10-17 30808]
R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2016-6-2 165296]
R0 klbackupdisk;Kaspersky Lab klbackupdisk;c:\windows\system32\drivers\klbackupdisk.sys [2016-6-8 57264]
R1 klbackupflt;Kaspersky Lab klbackupflt;c:\windows\system32\drivers\klbackupflt.sys [2016-6-15 77656]
R1 klhk;Kaspersky Lab service driver;c:\windows\system32\drivers\klhk.sys [2017-1-10 128496]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2017-1-10 796384]
R1 klpd;Kaspersky Lab format recognizer driver;c:\windows\system32\drivers\klpd.sys [2016-6-1 41392]
R1 kltdf;kltdf;c:\windows\system32\drivers\kltdf.sys [2016-5-18 82352]
R1 kltdi;kltdi;c:\windows\system32\drivers\kltdi.sys [2016-5-18 71088]
R1 kneps;kneps;c:\windows\system32\drivers\kneps.sys [2016-6-14 165088]
R2 AVP17.0.0;Kaspersky Anti-Virus Service 17.0.0;c:\program files\kaspersky lab\kaspersky internet security 17.0.0\avp.exe [2016-6-28 241544]
R2 kldisk;kldisk;c:\windows\system32\drivers\kldisk.sys [2016-6-1 69000]
R2 PDFSFilter;PDFsFilter;c:\windows\system32\drivers\PDFsFilter.sys [2012-8-23 69016]
R3 klflt;Kaspersky Lab Kernel DLL;c:\windows\system32\drivers\klflt.sys [2017-1-10 159448]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2016-5-23 50080]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;c:\windows\system32\drivers\klkbdflt.sys [2016-5-19 44976]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2015-6-7 37040]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1c9ab8d2cadb36d;Google Update Service (gupdate1c9ab8d2cadb36d);c:\program files\google\update\GoogleUpdate.exe [2009-3-23 144200]
S3 kltap;Kaspersky Security Data Escort Adapter;c:\windows\system32\drivers\kltap.sys [2016-6-22 42336]
S3 KSDE1.0.0;Kaspersky Secure Connection Service 1.0.0;c:\program files\kaspersky lab\kaspersky secure connection 1.0\ksde.exe [2016-6-28 241544]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\62A77F3E.sys [2016-8-23 170200]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2007-10-17 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2007-10-17 14336]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2017-05-18 20:45:47 803320 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2017-05-18 20:45:47 144888 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2017-05-18 20:09:48 2404 ----a-w- c:\windows\system32\ASOROSet.bin
2017-04-11 10:32:02 159448 ----a-w- c:\windows\system32\drivers\klflt.sys
2017-04-11 10:32:00 128496 ----a-w- c:\windows\system32\drivers\klhk.sys
2017-03-14 09:50:34 165088 ----a-w- c:\windows\system32\drivers\kneps.sys
.
============= FINISH: 18:56:08.62 ===============

ATTACH.txt file attached.
-------------------------

Steve/bluewizard
Attached Files
File Type: txt attach.txt (15.7 KB, 29 views)
bluewizard is offline  
Sponsored Links
Advertisement
 
Old 06-03-2017, 05:55 PM   #2
Registered Member
 
Join Date: Nov 2007
Posts: 10
OS: Win-10



No thoughts? My mother is getting pretty tired of the interruptions and having to call me to clear the computer.

Steve/bluewizard
bluewizard is offline  
Old 06-04-2017, 09:26 PM   #3
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello and Welcome to TSF.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Quote:
It's my mother's computer, she's 93, and doesn't need much
Being that XP machines are no longer receiving OS updates, your machine will always be vulnerable to threats, so we are really wasting time cleansing your machine.

No matter the reason you keep XP, this machine will always be susceptible to infection.

------------------------------------------------------

Please download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Scan
  • Once the Scan is done, select Clean
  • Once done it will ask to reboot, please allow the reboot.
  • On reboot, a log will be produced. It can also be found at C:\AdwCleaner\AdwCleaner[C#].txt
  • Please copy/paste the contents of the log in your next reply.
------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Sponsored Links
Advertisement
 
Old 06-06-2017, 03:16 PM   #4
Registered Member
 
Join Date: Nov 2007
Posts: 10
OS: Win-10



I'm not interest in All Possible Infections, I'm interested in just this one.

However, AdwCleaner will probably solve the problem.

I will post back when I get the log.

Thanks for your help.

Steve/bluewizard
bluewizard is offline  
Old 06-06-2017, 05:11 PM   #5
Registered Member
 
Join Date: Nov 2007
Posts: 10
OS: Win-10



Here is the AdwCleaner Log - It seems to have found some things -

Thanks for the help.
- - - - - - - - - - - - - - - - - - - - -

# AdwCleaner v6.047 - Logfile created 06/06/2017 at 19:04:12
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-05-19.1 [Local]
# Operating System : Microsoft Windows XP Service Pack 3 (X86)
# Username : SRB1 - SRB
# Running from : C:\Documents and Settings\SRB1\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****



***** [ Folders ] *****

[-] Folder deleted: C:\DOCUME~1\SRB1\LOCALS~1\Temp\Conduit


***** [ Files ] *****

[-] File deleted: C:\WINDOWS\system32\roboot.exe


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\AniGif.Document
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorBho.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKLM\SOFTWARE\Classes\SdcUser.SdcMailCtl
[-] Key deleted: HKLM\SOFTWARE\Classes\SdcUser.SdcMailCtl.1
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{19D2F415-D58B-46BC-9390-C03DCBC21EB2}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{6E45F3E8-2683-4824-A6BE-08108022FB36}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{987D9269-F8A1-408F-BF62-4397D2F5363E}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9F0F16DD-4E76-4049-A9B1-7A91E48F0323}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E0722BEB-FDA1-4AA1-A2A8-15A74A5B3F70}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{F1963E76-845B-474C-8C7F-D69A96D8AA34}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{F4288797-CB12-49CE-9DF8-7CDFA1143BEA}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{744E0E81-BC79-4719-A58B-C98F7E78EE5D}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{212C2C4F-C845-4FBC-9561-C833A13D8DCE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{3C5D1D57-16C8-473C-A552-37B8D88596FE}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4A115D8A-6A7B-4C72-92B1-2E2D01F36979}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{99DF8440-814E-497F-BDDD-FB93E9E9DF96}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{E00DE9B9-B128-4C39-B732-B5D85013FA48}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2A841F7A-A014-4DA5-B6D9-8B913DFB7A8C}
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{438FAE3E-BDEF-44D3-AB8B-0C7C8350DF59}]
[-] Key deleted: HKU\S-1-5-21-1698007797-1261079142-1627065577-1006\Software\Toolbar
[-] Key deleted: HKU\S-1-5-21-1698007797-1261079142-1627065577-1006\Software\YahooPartnerToolbar
[#] Key deleted on reboot: HKCU\Software\Toolbar
[#] Key deleted on reboot: HKCU\Software\YahooPartnerToolbar
[-] Key deleted: HKCU\Toolbar
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escort.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
[-] Key deleted: HKLM\SOFTWARE\Classes\AppID\esrv.EXE
[-] Key deleted: HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi


***** [ Web browsers ] *****



*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [4526 Bytes] - [06/06/2017 19:04:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [4564 Bytes] - [06/06/2017 19:03:38]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [4672 Bytes] ##########
bluewizard is offline  
Old 06-07-2017, 09:24 PM   #6
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello bluewizard.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back them up now just as a precaution.

Emergency Backup Procedure - Tech Support Forum

------------------------------------------------------

Please download ComboFix and Save it to your Desktop.

**Note: It is important that it is saved directly to your desktop**

Disable all antivirus and antispyware programs. Get help here

Double-click ComboFix.exe and follow the prompts to run it.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  • With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
  • It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
  • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




ComboFix will now automatically install the Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Recovery Console is installed, this blue window will appear:


  • Please click Yes to continue scanning for malware.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done.
  • ComboFix may reboot your machine. This is normal.
  • When the tool is finished, it will produce a log for you.

Please post that log, C:\ComboFix.txt, in your next reply.

Please re-enable your antivirus before posting the ComboFix.txt log.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-08-2017, 01:37 AM   #7
Registered Member
 
Join Date: Nov 2007
Posts: 10
OS: Win-10



Thanks, this is my mother's computer, so it will take some time to get too it, but I'll get on it.

Thanks again.
bluewizard is offline  
Old 06-08-2017, 08:54 AM   #8
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're welcome. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-20-2017, 08:54 PM   #9
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar

Microsoft Most Valuable Professional
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Still with us, bluewizard?
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Request for assistance cleaning up/out virus & bad image errors
Hi there. With the hope someone may be able to navigate me through a fix to restore this laptop to its pre "Windows XP Recovery" virus state, and the further hope I've not frustrated the solution process going too far ahead solo, here goes... My laptop is a newer Dell running Windows XP (I...
dagtagit Resolved HJT Threads 74 06-14-2011 05:40 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:26 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts