Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan.Win32.Mal.gen!b3 [Closed]

Started by texred , Sep 18 2013 05:02 PM

  • This topic is locked This topic is locked

#31
Nutloaf
Posted 08 October 2013 - 06:13 PM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Hi Texred can you tell me anything about the following files. Are you aware of them? I have removed one entry.

C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml
C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml
C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml
C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml:OECustomProperty
C:\Users\tania\Documents\Refund.eml

Have you downloaded any new programs?
  • 0

Advertisements

#32
texred
Posted 08 October 2013 - 07:23 PM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
No new programs. These files are from "People Search". I was seeking information regarding next-ex. From what I understand, they all file into Spokeo or Intelius, and provide info on anybody to anybody. I didn't know any better.
Please kill all, along with "videossomente" - bad stuff he put on my computer, stashed away,never found it till he was gone.
Thanx.
  • 0

#33
texred
Posted 08 October 2013 - 07:25 PM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Actually I think the bigger company is LinkedIn. Some people loosely consider this social media, of which I want no part.
  • 0

#34
Nutloaf
Posted 08 October 2013 - 08:48 PM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Many thanks will reply tomorrow :thumbsup:
  • 0

#35
texred
Posted 09 October 2013 - 10:35 AM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Have to go OOT til Saturday. See you later, and thank you!
  • 0

#36
Nutloaf
Posted 09 October 2013 - 11:01 AM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
No problem, this infection has it's hooks in pretty good. I would like a scan from you that takes about 5 minutes to carry out if you could.

OTL Custom Scan

  • Right click the OTL icon and select Run as Administrator.
  • There are 8 None boxes please check all 8.
  • Copy and paste the following into the Custom Scans\Fixes box without the word Quote.

    HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\connections
    HKEY_USERS\S-1-5-18\Software\Classes\.exe
    HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000_Classes\.exe
    HKEY_USERS\.DEFAULT\Software\Classes\.exe

  • Now Click Run Scan
  • OTL will now scan your computer and produce a log file OTL.txt
  • Please post in your next reply

  • 0

#37
texred
Posted 12 October 2013 - 10:15 AM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
OTL logfile created on: 10/12/2013 11:14:21 AM - Run 4
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\tania\Downloads
64bit- Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.10.9200.16721)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.97 Gb Total Physical Memory | 1.72 Gb Available Physical Memory | 43.28% Memory free
7.93 Gb Paging File | 5.58 Gb Available in Paging File | 70.30% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 220.07 Gb Total Space | 138.43 Gb Free Space | 62.90% Space Free | Partition Type: NTFS
Drive D: | 12.62 Gb Total Space | 2.11 Gb Free Space | 16.70% Space Free | Partition Type: NTFS

Computer Name: TANIA-PC | User Name: tania | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Include 64bit Scans
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Custom Scans ==========

< HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\connections >
"SavedLegacySettings" = 46 00 00 00 2B 08 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]
"DefaultConnectionSettings" = 46 00 00 00 8D 0C 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]
"LAN Connection" = 46 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]

< HKEY_USERS\S-1-5-18\Software\Classes\.exe >
"" = exefile
"Content Type" = application/x-msdownload

[HKEY_USERS\S-1-5-18\Software\Classes\.exe\shell]

< HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000_Classes\.exe >
"" = exefile
"Content Type" = application/x-msdownload

[HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000_Classes\.exe\shell]

< HKEY_USERS\.DEFAULT\Software\Classes\.exe >
"" = exefile
"Content Type" = application/x-msdownload

[HKEY_USERS\.DEFAULT\Software\Classes\.exe\shell]

< End of report >
  • 0

#38
texred
Posted 12 October 2013 - 10:18 AM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Hi Nutloaf,

Can you give me a hint about what's going on with this plague?

Thanks,
Tania
:blink:
  • 0

#39
texred
Posted 12 October 2013 - 10:30 AM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
Got this in my email today or yesterday.

Important Password Reset Information
To view this message in a language other than English, please click here.

We recently discovered that an attacker illegally entered our network and may have obtained access to your Adobe ID and encrypted password. We currently have no indication that there has been unauthorized activity on your account.

To prevent unauthorized access to your account, we have reset your password. Please visit www.adobe.com/go/passwordreset to create a new password. We recommend that you also change your password on any website where you use the same user ID or password. In addition, please be on the lookout for suspicious email or phone scams seeking your personal information.

We deeply regret any inconvenience this may cause you. We value the trust of our customers and we will work aggressively to prevent these types of events from occurring in the future. If you have questions, you can learn more by visiting our Customer Alert page, which you will find here.
Adobe Customer Care
  • 0

#40
Nutloaf
Posted 12 October 2013 - 11:18 AM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Hi Texred Do you use Adobe products that require a password? That email about Adobe is more than likely spam and should be deleted.

There are a couple of entries that need to edited in the registry as far as the malware is concerened it's not serious just a little tricky to get rid of.

I will complete my fix and post a little later.

P.S When you go out you really do go out :lol:
  • 0

Advertisements

#41
Nutloaf
Posted 12 October 2013 - 12:15 PM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Hi Texred, there is a post above this one. :)

A few things to do here that you should be OK with as you have completed before. Any problems then please get back to me.

Follow in the order given

1. Uninstall ADWcleaner

We need to use this again and need an updated version. The easiest way is to uninstall and download again in step 4 or you may get lost on a French website :)

  • Open ADWcleaner if prompted to update select Cancel then select Uninstall
  • All done!


2. User Accounts

I need you to check both User accounts on the machine. Log on and check the following for me please:

  • Click Start - Control Panel - Network and Internet - Internet Options
  • In the window that opens select the Connections Tab then select LAN settings it should look like the image. Make sure Automatically detect settings is checked and nothing else.



3. OTL Fix

  • Right click the OTL icon and select Run as Administrator.
  • Copy the entire text in the Quote box below, do not include the word QUOTE and Paste into the Custom Scans/Fixes box in OTL.

    :COMMANDS
    [CREATERESTOREPOINT]

    :OTL
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\..\SearchScopes,DefaultScope = {C22BB58A-9D6B-4917-B58E-43D08AD450CB}
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\..\SearchScopes\{C22BB58A-9D6B-4917-B58E-43D08AD450CB}: "URL" = http://www.google.co...ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =
    FF - prefs.js..browser.search.param.yahoo-fr: "chr-greentree_ff&ilc=12&type=937811"
    FF - prefs.js..extensions.enabledItems: {0153E448-190B-4987-BDE1-F256CADA672F}:15.0.6
    FF - prefs.js..keyword.URL: "http://search.yahoo....type=937811&p="
    FF - prefs.js..browser.startup.homepage: "http://google/ig"
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.6.14:
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.6.14: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O37 - HKU\.DEFAULT\...exe [@ = exefile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-18\...exe [@ = exefile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

    [2013/10/05 14:59:02 | 000,022,215 | ---- | M] () -- C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml
    [2013/10/05 14:59:01 | 000,027,913 | ---- | M] () -- C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml
    [2013/10/05 14:58:59 | 000,015,405 | ---- | M] () -- C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml
    [2013/10/05 14:58:58 | 000,036,500 | ---- | M] () -- C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml
    [2013/10/05 14:58:56 | 000,030,983 | ---- | M] () -- C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml
    [2013/10/05 14:58:55 | 000,066,649 | ---- | M] () -- C:\Users\tania\Documents\Refund.eml
    [2013/09/09 19:26:22 | 000,016,152 | ---- | M] () -- C:\Windows\SysNative\drivers\SWDUMon.sys
    [2013/04/23 20:52:50 | 000,880,894 | ---- | C] () -- C:\Users\tania\AppData\Local\census.cache
    [2013/04/23 20:52:08 | 000,127,111 | ---- | C] () -- C:\Users\tania\AppData\Local\ars.cache
    [2013/04/23 20:39:43 | 000,000,036 | ---- | C] () -- C:\Users\tania\AppData\Local\housecall.guid.cache
    [2013/06/26 00:51:15 | 000,000,000 | ---D | M] -- C:\Users\tania\AppData\Roaming\TuneUp Software
    [2013/07/06 15:51:49 | 000,000,000 | ---D | M] -- C:\Users\tania\AppData\Roaming\Wondershare


    @Alternate Data Stream - 973 bytes -> C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty
    @Alternate Data Stream - 910 bytes -> C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty
    @Alternate Data Stream - 885 bytes -> C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml:OECustomProperty
    @Alternate Data Stream - 572 bytes -> C:\Users\tania\Documents\Refund.eml:OECustomProperty
    @Alternate Data Stream - 11823 bytes -> C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml:OECustomProperty
    @Alternate Data Stream - 1091 bytes -> C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml:OECustomProperty

    REG:
    [HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\connections]
    "SavedLegacySettings" = 46 00 00 00 2B 08 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]
    "DefaultConnectionSettings" = 46 00 00 00 8D 0C 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]

    :FILES
    C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin
    ipconfig /flushdns /c
    netsh winsock reset catalog /c
    netsh int ip reset c:\resetlog.txt /c
    ipconfig /release /c
    ipconfig /renew /c

    :COMMANDS
    [RESETHOSTS]
    [EMPTYTEMP]

  • Then click Run Fix
  • Click O.K if asked to Reboot.
  • An OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - Where mmddyyy _hhmmss is the date and time of fix.
  • Copy and Paste the Fix Log in your next reply.


4. Run ADWcleaner

  • Using this link Download ADWcleaner and save to Desktop.
  • Right click ADWcleaner and Run as Administrator then select Scan
  • Once the scan is complete click Clean
  • A reboot will be asked for click O.K
  • On reboot a log will be produced, please post in your next reply.
  • The log will also be located here : C:\ADWcleaner\AdwCleaner[S1].txt to get to this location:
  • Click Start - Computer - Double click Local Disk (C:) - Double Click the ADWCleaner folder and the log is there called AdwCleaner[S0]

5. Junkware Removal Tool

Posted Image 1. Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Right-mouse click JRT.exe and select Run as Administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

OTL Custom Scan

  • Right click the OTL icon and select Run as Administrator.
  • Select the following boxes:
  • Scan All Users
  • Use Company-Name WhiteList
  • Skip Microsoft Files
  • Use No-Company-Name WhiteList
  • LOP Check
  • Now Click Run Scan
  • OTL will now scan your computer and produce a log file OTL.txt
  • Please post in your next reply

Things I want to see in your next post.

  • OTL fix.txt
  • ADWcleaner[S1].txt
  • JRT.txt
  • OTL.txt

  • 0

#42
Nutloaf
Posted 12 October 2013 - 02:55 PM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Thanks for the PM regarding the fix freezing on the FF lines. Here is a new fix with the lines removed. ADWCleaner will deal with Firefox.

Run the fix then carry on with my last post :thumbsup:

1. OTL Fix

  • Right click the OTL icon and select Run as Administrator.
  • Copy the entire text in the Quote box below, do not include the word QUOTE and Paste into the Custom Scans/Fixes box in OTL.

    :COMMANDS
    [CREATERESTOREPOINT]

    :OTL
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\..\SearchScopes,DefaultScope = {C22BB58A-9D6B-4917-B58E-43D08AD450CB}
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\..\SearchScopes\{C22BB58A-9D6B-4917-B58E-43D08AD450CB}: "URL" = http://www.google.co...ie=utf8&oe=utf8
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>127.0.0.1;localhost;10.*;192.168.*;127.0.0.1:895;127.0.0.1:896
    IE - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" =
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
    O3 - HKU\S-1-5-21-485409517-1736587146-2298806430-1004\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
    O37 - HKU\.DEFAULT\...exe [@ = exefile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-18\...exe [@ = exefile] -- Reg Error: Key error. File not found
    O37 - HKU\S-1-5-21-485409517-1736587146-2298806430-1000\...exe [@ = exefile] -- Reg Error: Key error. File not found

    [2013/10/05 14:59:02 | 000,022,215 | ---- | M] () -- C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml
    [2013/10/05 14:59:01 | 000,027,913 | ---- | M] () -- C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml
    [2013/10/05 14:58:59 | 000,015,405 | ---- | M] () -- C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml
    [2013/10/05 14:58:58 | 000,036,500 | ---- | M] () -- C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml
    [2013/10/05 14:58:56 | 000,030,983 | ---- | M] () -- C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml
    [2013/10/05 14:58:55 | 000,066,649 | ---- | M] () -- C:\Users\tania\Documents\Refund.eml
    [2013/09/09 19:26:22 | 000,016,152 | ---- | M] () -- C:\Windows\SysNative\drivers\SWDUMon.sys
    [2013/04/23 20:52:50 | 000,880,894 | ---- | C] () -- C:\Users\tania\AppData\Local\census.cache
    [2013/04/23 20:52:08 | 000,127,111 | ---- | C] () -- C:\Users\tania\AppData\Local\ars.cache
    [2013/04/23 20:39:43 | 000,000,036 | ---- | C] () -- C:\Users\tania\AppData\Local\housecall.guid.cache
    [2013/06/26 00:51:15 | 000,000,000 | ---D | M] -- C:\Users\tania\AppData\Roaming\TuneUp Software
    [2013/07/06 15:51:49 | 000,000,000 | ---D | M] -- C:\Users\tania\AppData\Roaming\Wondershare


    @Alternate Data Stream - 973 bytes -> C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty
    @Alternate Data Stream - 910 bytes -> C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty
    @Alternate Data Stream - 885 bytes -> C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml:OECustomProperty
    @Alternate Data Stream - 572 bytes -> C:\Users\tania\Documents\Refund.eml:OECustomProperty
    @Alternate Data Stream - 11823 bytes -> C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml:OECustomProperty
    @Alternate Data Stream - 1091 bytes -> C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml:OECustomProperty

    REG:
    [HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\connections]
    "SavedLegacySettings" = 46 00 00 00 2B 08 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]
    "DefaultConnectionSettings" = 46 00 00 00 8D 0C 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 60 44 12 52 50 22 CE 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [binary data]

    :FILES
    C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin
    ipconfig /flushdns /c
    netsh winsock reset catalog /c
    netsh int ip reset c:\resetlog.txt /c
    ipconfig /release /c
    ipconfig /renew /c

    :COMMANDS
    [RESETHOSTS]
    [EMPTYTEMP]

  • Then click Run Fix
  • Click O.K if asked to Reboot.
  • An OTL fix log will be saved in the following location: C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log - Where mmddyyy _hhmmss is the date and time of fix.
  • Copy and Paste the Fix Log in your next reply.

  • 0

#43
texred
Posted 15 October 2013 - 03:38 PM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
All processes killed
========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== OTL ==========
HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000\Software\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000\Software\Microsoft\Internet Explorer\SearchScopes\{C22BB58A-9D6B-4917-B58E-43D08AD450CB}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C22BB58A-9D6B-4917-B58E-43D08AD450CB}\ not found.
HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
HKU\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer| /E : value set successfully!
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}\ not found.
Registry value HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}\ not found.
Registry value HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}\ not found.
Registry value HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D4027C7F-154A-4066-A1AD-4243D8127440} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}\ not found.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\.DEFAULT\Software\Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-18\Software\Classes\.exe\ not found.
Registry key HKEY_USERS\S-1-5-18\Software\Classes\exefile\ not found.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
Registry key HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000_Classes\.exe\ deleted successfully.
Registry key HKEY_USERS\S-1-5-21-485409517-1736587146-2298806430-1000_Classes\exefile\ deleted successfully.
HKEY_LOCAL_MACHINE\Software\Classes\.exe\\|exefile /E : value set successfully!
C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml moved successfully.
C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml moved successfully.
C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml moved successfully.
C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml moved successfully.
C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml moved successfully.
C:\Users\tania\Documents\Refund.eml moved successfully.
C:\Windows\SysNative\drivers\SWDUMon.sys moved successfully.
C:\Users\tania\AppData\Local\census.cache moved successfully.
C:\Users\tania\AppData\Local\ars.cache moved successfully.
C:\Users\tania\AppData\Local\housecall.guid.cache moved successfully.
C:\Users\tania\AppData\Roaming\TuneUp Software\TU2012\Backups folder moved successfully.
C:\Users\tania\AppData\Roaming\TuneUp Software\TU2012 folder moved successfully.
C:\Users\tania\AppData\Roaming\TuneUp Software folder moved successfully.
C:\Users\tania\AppData\Roaming\Wondershare\Wondershare Helper Compact folder moved successfully.
C:\Users\tania\AppData\Roaming\Wondershare\PDF Editor\Log folder moved successfully.
C:\Users\tania\AppData\Roaming\Wondershare\PDF Editor folder moved successfully.
C:\Users\tania\AppData\Roaming\Wondershare folder moved successfully.
Unable to delete ADS C:\Users\tania\Documents\int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty .
Unable to delete ADS C:\Users\tania\Documents\Re_ int intelius cm Has Not Responded_ Next Step___.eml:OECustomProperty .
Unable to delete ADS C:\Users\tania\Documents\[Spokeo Support Center] Re_ Opt-out.eml:OECustomProperty .
Unable to delete ADS C:\Users\tania\Documents\Refund.eml:OECustomProperty .
Unable to delete ADS C:\Users\tania\Documents\[videossomente] Teens Like It Big - Elaina Rae.eml:OECustomProperty .
Unable to delete ADS C:\Users\tania\Documents\LinkedIn Network Updates, 6_27_2013.eml:OECustomProperty .
File EY_USERS\S-1-5-21-485409517-1736587146-2298806430-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings\connections] not found.
========== FILES ==========
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\ThinShims folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Chrome\Skin folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Chrome\Content folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Chrome folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Firefox folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Common folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome\Ext folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\Chrome folder moved successfully.
C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin folder moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\tania\Downloads\cmd.bat deleted successfully.
C:\Users\tania\Downloads\cmd.txt deleted successfully.
< netsh winsock reset catalog /c >
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
C:\Users\tania\Downloads\cmd.bat deleted successfully.
C:\Users\tania\Downloads\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
Reseting Global, OK!
Reseting Interface, OK!
Reseting Unicast Address, OK!
Restart the computer to complete this action.
C:\Users\tania\Downloads\cmd.bat deleted successfully.
C:\Users\tania\Downloads\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 3 while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
Wireless LAN adapter Wireless Network Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::68c5:259:5686:1a81%20
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Tunnel adapter isatap.{F31A9FD8-AC1A-4B36-BDF2-638DA9579CD0}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\tania\Downloads\cmd.bat deleted successfully.
C:\Users\tania\Downloads\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
No operation can be performed on Wireless Network Connection 3 while it has its media disconnected.
No operation can be performed on Local Area Connection while it has its media disconnected.
Wireless LAN adapter Wireless Network Connection 3:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Wireless LAN adapter Wireless Network Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::68c5:259:5686:1a81%20
IPv4 Address. . . . . . . . . . . : 192.168.0.103
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\tania\Downloads\cmd.bat deleted successfully.
C:\Users\tania\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========
C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

User: tania
->Temp folder emptied: 17203849 bytes
->Temporary Internet Files folder emptied: 2771488 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 354987474 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 4522 bytes

User: TEMP

User: TEMP.tania-PC

User: TEMP.tania-PC.000

User: TEMP.tania-PC.001

User: TEMP.tania-PC.002

User: TEMP.tania-PC.003

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 282221370 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 128 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 0 bytes
RecycleBin emptied: 29486611 bytes

Total Files Cleaned = 655.00 mb


OTL by OldTimer - Version 3.2.69.0 log created on 10152013_162255

Files\Folders moved on Reboot...
C:\Users\tania\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
File move failed. C:\Users\tania\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat scheduled to be moved on reboot.
File move failed. C:\Windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.
File move failed. C:\Windows\temp\AdminHelper.lmlog scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
  • 0

#44
Nutloaf
Posted 15 October 2013 - 04:10 PM

Nutloaf

    Trusted Helper

  • Malware Removal
  • 1,790 posts
Hi there Texred thanks for the results.

Did you copy and paste the whole fix in one go or did you paste a part and then another part?
  • 0

#45
texred
Posted 15 October 2013 - 04:13 PM

texred

    Member

  • Topic Starter
  • Member
  • PipPip
  • 54 posts
# AdwCleaner v3.007 - Report created 15/10/2013 at 16:42:47
# Updated 09/10/2013 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : tania - TANIA-PC
# Running from : C:\Users\tania\Downloads\AdwCleaner(2).exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{318A227B-5E9F-45BD-8999-7F8F10CA4CF5}]
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16720


-\\ Mozilla Firefox v24.0 (en-US)

[ File : C:\Users\tania\AppData\Roaming\Mozilla\Firefox\Profiles\j5oh9g3x.default\prefs.js ]


*************************

AdwCleaner[R2].txt - [1717 octets] - [15/10/2013 16:41:30]
AdwCleaner[S1].txt - [1525 octets] - [15/10/2013 16:42:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1585 octets] ##########
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP