[celago]

Hello,

 

I will like help removing malware from my father's computer (HP Desktop PC with Windows 7). I have already spent the last 48 hours scanning and cleaning using malware bytes, sophos, avg and trend micro (not at the same time), as well as manually removing things from the startup (via msconfig), browser extensions (for chrome, firefox, and ie) and program files (uninstalling known culprits). I have also ran ccleaner as well as avg and tuneup utilities several times and gone through several rounds of much needed updates for the windows 7.

 

The problem is not as bad as before (two days ago when I first saw the computer), but it is still creeping up every now and then. Basically, the internet browsing is interrupted by unwanted popups of extra tabs to ad sites or fake "mac keeper" or similar services that purport to identify a virus and provide a software download link. Some sites, including geekstogo, have part of their text highlighted in green with an arrow which point to unwanted links to similar ad sites or fake virus diagnostic reports.

 

The suspect urls that keep showing up are adcash, snapdo, mackeeper, android appsync (or something similar sounding). There could be others, but I have deleted so many things over the last couple of days that I forget the names now.

 

Lastly, the virus seems to have infected other devices through the wifi. My father's iphone and ipad as well as my samsung s4 phone have constant popups show up when browsing the internet through them.

 

Here are the OTL logs.

 

Many thanks for all your help in advance.

 

Best,

 

CL

Attached Files

•  Extras.Txt   60.93KB   164 downloads
•  OTL.Txt   82.24KB   168 downloads

[Advertisements]

Hi there I would like to use a different scanner

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan




On completion of the scan click save log, save it to your desktop and post in your next reply

[Essexboy]

Hi there I would like to use a different scanner

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

THEN

Download aswMBR.exe ( 4.5mb ) to your desktop.
Double click the aswMBR.exe to run it.
You may be offered the option of using virtualisation, accept that
When it offers to download the virus database allow that as well
Click the "Scan" button to start scan




On completion of the scan click save log, save it to your desktop and post in your next reply

[celago]

thank you!

Attached Files

•  Addition.txt   24.3KB   256 downloads
•  FRST.txt   65.65KB   191 downloads
•  aswMBR.txt   2.42KB   164 downloads

[Essexboy]

Could you let me know how the computer is behaving after this please

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

AppInit_DLLs: C:\Users\Jaun\AppData\Local\Smartbar\Application\Resources\crdlil64.dll => C:\Users\Jaun\AppData\Local\Smartbar\Application\Resources\crdlil64.dll File Not Found
AppInit_DLLs-x32: c:\users\jaun\appdata\local\smartbar\application\resources\crdlil.dll => "c:\users\jaun\appdata\local\smartbar\application\resources\crdlil.dll" File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Internet Explorer proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:49423;https=127.0.0.1:49423
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL =
SearchScopes: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL =
Toolbar: HKU\S-1-5-21-1305129150-3733445347-2525841340-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - No File
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - No File
FF Extension: No Name - C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [Not Found]
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Users\Jaun\AppData\Local\Conduit
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Program Files\Conduit
2014-12-14 07:04 - 2014-01-29 12:01 - 00000000 ____D () C:\Program Files (x86)\Conduit
2014-12-14 07:04 - 2013-12-14 20:17 - 00000000 ____D () C:\Users\Jaun\AppData\Roaming\Systweak
2014-12-13 07:35 - 2013-12-14 20:18 - 00000000 ____D () C:\Program Files (x86)\MyPC Backup
2014-12-13 07:33 - 2013-12-23 16:19 - 00000000 ____D () C:\Program Files (x86)\PCFixSpeed
2014-12-13 06:10 - 2014-01-09 21:55 - 00000000 ____D () C:\Users\Jaun\AppData\Local\StormAlerts
Task: {96610E0E-10D0-429B-8D40-97017B7A1402} - System32\Tasks\{99ED054F-F6DD-47E0-9BA2-C363C75E1A1A} => pcalua.exe -a C:\Users\Jaun\Downloads\sp48162.exe
C:\Users\Jaun\AppData\Local\Mobogenie
c:\users\jaun\appdata\local\smartbar
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

[celago]

Will reply in the next couple of days. Thank you for your help. Please do not close the thread.

[celago]

here are the logs... many thanks again...

 

I should say that I got an error message when running the script on FRST... i tried it a couple of times and rechecked it to make sure i hadn't made a mistake, but i am pretty sure i followed your steps to a t... the log still printed out, but i am also attaching a screengrab of the error message just in case (.pdf file)...

 

no obvious problems with the adwcleaner however... 

 

 

Attached Files

•  AdwCleanerS0.txt   3.91KB   184 downloads
•  Fixlog.txt   5.83KB   157 downloads
•  frst error message.pdf   112.67KB   111 downloads
•  AdwCleanerR0.txt   4.09KB   183 downloads

[Essexboy]

Thanks I will pass that on to Farbar

How is the computer behaving now ?

[celago]

The computer is behaving a lot better since I dloaded all the usual cleaners and tuneup software programs a couple of days before I posted on gtg. No more unwanted popups or bogus google-look-alike search engines. However, the mobile devices that are using the same wifi signal as the desktop still get unwanted prompts from adcash or other similar websites to download fishy "android cleaners". Alternatively, the play store on these devices pops up every now and then inviting us to download unwanted games and such.

 

When connected on other wifi networks, these mobile devices behave normally.

 

Many thanks!

[Essexboy]

That would tend to suggest that there may be an infection in the router. Do you know how to reset it ?

[celago]

i know how to reset it using an unbent paperclip... is that what you mean? should i just do that and nothing else?

 

thanks!

[Essexboy]

Yes as the other devices connecting are expiring popups that would be the logical conclusion, especially as there are none when they use other routers

[celago]

ok. just reset it. will be on the lookout for the mobile devices.

 

otherwise, do the logs show any remaining malware?

 

thanks!

[Essexboy]

No the logs look clean, any further problems before I tidy up ?

[celago]

well... the main pc seems to be working fine then... and so do the mobile devices...

 

but there is one last remaining macbook on the home network that is still showing similar symptoms... i.e. unwanted invitations to dload software through the app store...

 

any help is much appreciated!

[Essexboy]

Unfortunately I know nothing about Mac's I have never even owned one. We do have a mac forum here http://www.geekstogo.../176-apple-osx/ but I am not sure if anyone is qualified to clean them. There do not appear to be any forums that specialise in this that I can find I am afraid


Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Remove tools

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe