[pystryker]

So when I went to remove the program it wasn't listed and the shortcut in the start menu couldn't find the program, so I deleted the entire folder. We never used the program.

I then reran the ESET Scan and it got about 23% through had found 27 infections and then it froze again.

Did you happen to see what file it froze on this time?

[Advertisements]

One other thing: Don't let it discourage you. We'll get this whipped, no worries.

[pystryker]

One other thing: Don't let it discourage you. We'll get this whipped, no worries.

[Jams]

No, it was a file in a windows folder. with a bunch of letters and odd characters. Do you want me to run again and write down name if and when freezes?

[pystryker]

No, it was a file in a windows folder. with a bunch of letters and odd characters. Do you want me to run again and write down name if and when freezes?

Yes, run it again, and if you could get a screenshot of it and post it, that would save you some trouble.

[Jams]

Yay! It actually finished this time. Here is log.

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=237381ea9275f24bbeb502910db9a728
# engine=16640
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2014-01-15 03:03:24
# local_time=2014-01-14 09:03:24 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode=774 16777213 85 77 0 0 0 0
# compatibility_mode=5893 16776573 100 94 0 141298454 0 0
# scanned=245470
# found=21
# cleaned=0
# scan_time=82933
sh=E5D9B95F657EFD41D0CC7F40355A9BEDC2E5AE61 ft=1 fh=4bd68e7d6992d912 vn="Win32/DownloadAdmin.G application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-430625486-824903956-1577427737-1004\$RGE52UR.exe"
sh=F8CA5824DCBD36E7B0DAD5C0BA5C9530C90EC8A9 ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.V trojan" ac=I fn="C:\Users\ChyDyl\AppData\Local\Google\Chrome\User Data\Default\Default\aadddjgdgcdcdjdbgegcdidfdedidadb\background.js"
sh=F3BFBFDD3DDB2A7861C8003D8A3CFED2A89F8580 ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.AD trojan" ac=I fn="C:\Users\ChyDyl\AppData\Local\Google\Chrome\User Data\Default\Default\aadddjgdgcdcdjdbgegcdidfdedidadb\ContentScript.js"
sh=EC22DD067EFDDE7932794086F48426CE5C7B747E ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.AD.Gen trojan" ac=I fn="C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\0aon2f24.default\extensions\[email protected]"
sh=EC22DD067EFDDE7932794086F48426CE5C7B747E ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.AD.Gen trojan" ac=I fn="C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\tl3g4mld.default\extensions\[email protected]"
sh=55547EC8427773924A96D8646E0D5E3625054E25 ft=1 fh=431aa40ef40e7662 vn="a variant of Win32/OpenInstall application" ac=I fn="C:\Users\ChyDyl\Downloads\WinZip170 (1).exe"
sh=55547EC8427773924A96D8646E0D5E3625054E25 ft=1 fh=431aa40ef40e7662 vn="a variant of Win32/OpenInstall application" ac=I fn="C:\Users\ChyDyl\Downloads\WinZip170.exe"
sh=25CF9B7BB46B581ED8DE03DDC56E1574087CACAA ft=1 fh=10c5a1651be6049d vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup326.exe"
sh=180C8ED7C81E3AE7B0507B26C927EA93584B017C ft=1 fh=b0b83453fcc7b480 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup327.exe"
sh=3D84C7C0E316EAD02DD7A59E746EC798DAB8BC0C ft=1 fh=ce50a11e70bad71c vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup328.exe"
sh=60C77FF66F63F585FCE95C78FF44B513E2AAB9F9 ft=1 fh=17494879e4339ab3 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup400.exe"
sh=2FEC2BB06C11B711B37E7D1BAC0004F8F25A4C7B ft=1 fh=9586b0754c97a9e0 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup401.exe"
sh=EA244E84E1468A6AF4741F2184E113A16F833D8B ft=1 fh=a9c73d0d07b22a58 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup402.exe"
sh=A4854C3C5A7277D3C02F88330D2023AAD3667533 ft=1 fh=818bd9cd8f0d2ffa vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup403.exe"
sh=6525F85F423A8ACB9DE261FCE7C1BFDCAF0651EC ft=1 fh=e751b5239200023c vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup404.exe"
sh=59C75B45AC46FAC8C4018205544938C46B1BA631 ft=1 fh=ab462a0af6e69b03 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup405(1).exe"
sh=59C75B45AC46FAC8C4018205544938C46B1BA631 ft=1 fh=ab462a0af6e69b03 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup405.exe"
sh=ADF2AD3B94EB35DC371AB7A1A49B004B7C76BFA5 ft=1 fh=f95766f30bc4ebc6 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup406.exe"
sh=DD6E088E22874B283348A15DB5159C7B20CC6D22 ft=1 fh=fe9dda6ca79832a6 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup407.exe"
sh=6585F3BCD797EFC2F81599CDE50115668B677D52 ft=1 fh=c4c5afd1d69feff3 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup408(1).exe"
sh=6585F3BCD797EFC2F81599CDE50115668B677D52 ft=1 fh=c4c5afd1d69feff3 vn="Win32/Bundled.Toolbar.Google.D application" ac=I fn="C:\Users\JDSKHillPC\Downloads\ccsetup408.exe"

[pystryker]

That's great! I've submitted what I want to do next for my teacher's approval, but it will be the morning before I can get approval as he's offline for the night.

[Jams]

No worries. Good Night!

[pystryker]

Looks good! Let's send the orphans it found packing.


Let's run an OTL fix:

Warning: This fix is to be used on this system and this system ONLY. Using this fix on any other machine other than yours can seriously damage it.

Be advised that when the fix commences, it will shut down all running processes and you may lose the desktop and icons, they will return on reboot.

Run OTL by double clicking it (Windows Vista, Windows 7, and 8, right click and select "Run as Administrator)

• Copy the text in the quote box below (do not copy the word "quote") and paste in the in the box marked Custom Scans/Fixes as shown in the graphic below.

:Commands
[createrestorepoint]

:Files
C:\Users\ChyDyl\AppData\Local\Google\Chrome\User Data\Default\Default\aadddjgdgcdcdjdbgegcdidfdedidadb
C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\0aon2f24.default\extensions\[email protected]
C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\tl3g4mld.default\extensions\[email protected]
C:\Users\ChyDyl\Downloads\WinZip170 (1).exe
C:\Users\ChyDyl\Downloads\WinZip170.exe
C:\Users\JDSKHillPC\Downloads\cc*.exe

:Commands
[reboot]

• Click the Run Fix button at the top of the OTL control panel.
  
• Let the program run until it's finished and then reboot the computer.
  
• Once your machine has rebooted, a log will open. Please post that log in your next reply.

If you have any problems, questions, or need further explanation, please post a message in this thread and I will get back to you asap.

Things I need to see in your next post:

OTL Fix Log

[Jams]

Ok, I ran the fix, but there is no log file. No file pops up when machine reboots and the only log on the desktop is the 1/11 log I posted earlier.

Don't know what's going on, but I cannot find a log.

[pystryker]

Hi

You can find a copy of the log in this location: C:\_OTL\MovedFiles

[Jams]

Thanks!

Here you go!

========== COMMANDS ==========
Restore point Set: OTL Restore Point
========== FILES ==========
C:\Users\ChyDyl\AppData\Local\Google\Chrome\User Data\Default\Default\aadddjgdgcdcdjdbgegcdidfdedidadb folder moved successfully.
C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\0aon2f24.default\extensions\[email protected] moved successfully.
C:\Users\ChyDyl\AppData\Roaming\Mozilla\Firefox\Profiles\tl3g4mld.default\extensions\[email protected] moved successfully.
C:\Users\ChyDyl\Downloads\WinZip170 (1).exe moved successfully.
C:\Users\ChyDyl\Downloads\WinZip170.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup326.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup327.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup328.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup400.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup401.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup402.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup403.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup404.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup405(1).exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup405.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup406.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup407.exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup408(1).exe moved successfully.
C:\Users\JDSKHillPC\Downloads\ccsetup408.exe moved successfully.
========== COMMANDS ==========

OTL by OldTimer - Version 3.2.69.0 log created on 01152014_215411

[pystryker]

Excellent!

I have a few things I'm awaiting approval on for you, but that looks really good!

[pystryker]

Hello

Great news, your logs are CLEAN! We still have a few things we need to address namely:

• I need to remove the tools we installed on your machine.
  
• I also have some information for you to help protect you against infections in the future.

Ok, here we go:


Step 1: Delete old restore points and create a new one.

We're going to delete your old restore points and create a new one. We do this in case you need to do a system restore, you will have a clean restore point.

Please follow the instructions below:

• Start OTL and copy the text in the quote box below.
  
• Paste the contents into the Custom Scans/Fixes box and click the Run Fix button.
  
• OTL will delete the old restore points and create a new one.

:Files
%systemroot%\sysnative\vssadmin delete shadows /for=c: /all /quiet /c

:Commands
[CreateRestorePoint]

Step 2: Tool Removal

• Start AdwCleaner and click the Uninstall button. It will remove the quarantined files and uninstall itself.
  
• You can delete Junkware Removal Tool from your desktop.
  
• Start OTL and click the Cleanup button. OTL will delete it's quarantined files and then uninstall itself.
  
• I'd recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week.
  
• You can uninstall ESET Online Scanner at this time.
  
• You can delete SecurityCheck from your desktop.

Step 3: Java Warning and FileHippo Updater


A word about Java

Java has become the #1 program exploited by thieves and hackers as of today. It's gotten so bad, the Department of Homeland Security recently recommended that users disable Java on their machines.

For more information regarding this, see the two articles below:

Forbes: US Department of Homeland Security Calls on user do disable Java

US warns on Java software

Unless you have software on your machine that absolutely requires Java, I highly recommend you completely remove it from your system.

If you do have software that requires it, then disable it until such time as it's needed by those programs.

Please click the link below for instructions to disable Java.

How to Disable Java in your Web Browser


If you wish to continue to use Java on your machine, please be sure to keep it updated by following the instructions below.

• Click on this link Java Website and click Do I Have Java?
  
• Then click the Verify Java Version button. It will scan your current version and show you if you have the most current version.

You can also download a tool called JavaRa that will automatically search for new updates and remove older versions of Java.
Click the link below to go to the download page to get the tool.

JavaRa

Once you have downloaded JavaRa

• Unzip the files to the directory of your choice.
  
• Double click the JavaRa icon in the directory and choose your language preference.
  
• Click Remove Older Versions from the menu.
  
• Click Yes.
  
• If you get a warning that Internet Explorer needs to be closed, close it, then click ok.
  
• JavaRa will then search for and remove old versions of Java from your machine.

You can find instructions for manually removing older versions for Windows XP, Vista, and 7 by clicking the link below:

Instructions for manually removing old versions of Java


Keeping your software updated

Another weapon against malicious programs and viruses is to keeping other programs updated. There are several programs out there that can check for out of date programs on your computer. One is Filehippo. You can run this on a weekly or monthly basis to check your programs for updates and then it will provide a link for you to download them.

Download Filehippo Updatechecker


Step 4: Information and Protection against CryptoLocker


Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.

Be careful of the websites you visit.

When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take you time and read each screen as you go.

To help protect yourself while on the web, I recommend you read How did I get infected in the first place?

A warning about CryptoLocker

CryptoLocker is a ransomware program that was released around the beginning of September 2013 that targets all versions of Windows including Windows XP, Windows Vista, Windows 7, and Windows 8. This ransomware will encrypt certain files using a mixture of RSA & AES encryption. When it has finished encrypting your files, it will display a CryptoLocker payment program that prompts you to send a ransom of either $100 or $300 in order to decrypt the files. This screen will also display a timer stating that you have 72 hours, or 4 days, to pay the ransom or it will delete your encryption key and you will not have any way to decrypt your files. This ransom must be paid using MoneyPak vouchers or Bitcoins. Once you send the payment and it is verified, the program will decrypt the files that it encrypted.

Please download and install CryptoPrevent to lock your machine down from this infection.




Are there any further issues I can assist you with?

[Jams]

Thanks for all your help! I appreciate it.

Good luck in your studies!

[pystryker]

Thanks for all your help! I appreciate it.

Good luck in your studies!

Thank you, and you are very welcome!

Safe Surfing

pystryker