[DonnaB]

That's ok, my_name. Not to worry.

Are you having any other issues with your computers being blocked or is it just that when you check the IP that it shows on the blacklist?

I do know the router has a built-in firewall and it's on, that's all.

Ok. When I had you perform a hard reset on your router, did you happen to change the password or did you keep the factory default password? Personally I would change it.

For security purposes, passwords really should be changed frequently. It can be convenient to have the same password for everything and never change it, though it is not a good idea. Especially if you are experiencing issue with your ISP as you are. If you fear that you may forget your passwords, there are password managing apps that can be used and many of them are free. See here. I am old school so I keep my passwords and all login information for my many sites (including banking) written down in a notebook so I don't forget them and I do change them about once a month.

The 2 computers we checked so far are clean though we do need to remove the tools from the second yet. If you would feel more at peace, we could run scans on that 3rd computer to verify it is clean. Let me know what you would like to do.

[Advertisements]

We're not experiencing anything serious with blocking sites we normally go to.  My biggest concern was if we had malware on any of our devices.

 

When you had me reset my router, I reset the wifi password and changed the password for administrative access to the router.  I was really glad you brought it to my attention, because I hadn't ever changed the administrative password before.  Now the firmware is updated also, in case there have been any security patches issued.  Definitely, I feel like the settings on our router are improved over what I had them at before we discussed this.  Thank you for your tips on passwords.

 

I am ready to remove the tools from the 2nd computer now, and would feel better if we made sure the third is clean.  Thank you for offering.

[my_name]

We're not experiencing anything serious with blocking sites we normally go to.  My biggest concern was if we had malware on any of our devices.

 

When you had me reset my router, I reset the wifi password and changed the password for administrative access to the router.  I was really glad you brought it to my attention, because I hadn't ever changed the administrative password before.  Now the firmware is updated also, in case there have been any security patches issued.  Definitely, I feel like the settings on our router are improved over what I had them at before we discussed this.  Thank you for your tips on passwords.

 

I am ready to remove the tools from the 2nd computer now, and would feel better if we made sure the third is clean.  Thank you for offering.

[DonnaB]

Good. That's what I was hoping to hear. Let's remove those tools now and move along to the last computer.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report.
  Paste it for my review.

[my_name]

Here it is, some of the tools we used were used on the flash drive and I manually deleted them:

 

# DelFix v1.013 - Logfile created 10/05/2016 at 21:43:01
# Updated 17/04/2016 by Xplode
# Username : owner - OWNER-PC
# Operating System : Windows 10 Home  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.3.0.0.44_07.06.2015_10.44.00_log.txt
Deleted : C:\TDSSKiller.3.1.0.9_07.05.2016_14.09.35_log.txt
Deleted : C:\Users\owner\Desktop\adwcleaner_5.115.exe
Deleted : C:\Users\owner\Desktop\JRT.exe
Deleted : C:\Users\owner\Desktop\JRT.txt

~ Cleaning system restore ...

Deleted : RP #2 [Scheduled Checkpoint | 05/10/2016 03:10:19]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

[DonnaB]

Ok... Now for the final computer..

Download Farbar Recovery Scan Tool to your desktop from one of the links below:

For x32 (x86) bit systems download Farbar Recovery Scan Tool.
For x64 bit systems download Farbar Recovery Scan Tool x64.

• Right click on the FRST.exe and choose Run as administrator.
• When the tool opens click Yes to disclaimer.
• Under Optional Scan make sure there is a checkmark in the box for Addition.txt to ensure it creates that 2nd log.
• Press Scan button.
• Please attach both logs in your next reply.

[my_name]

When I opened Farbar tool, I got this Application Error:  Exception EAccessViolation in Module ERUNT.exe at 00003A38.  Access violation at address 00403A38 in module ERUNT.exe.  Read of address 0076005D.  What does this mean?  I still got the logs though and attached them here.

Attached Files

•  Addition.txt   33.37KB   203 downloads
•  FRST.txt   60.42KB   133 downloads

[DonnaB]

That application error means that FRST failed to execute ERUNT, which is what it uses to back-up the Registry. The developer of FRST is looking into why this happens on some systems yet not others. He said to please ignore it. I'll have a closer look at your logs today after work.

I do see that Wise Care 365 is installed. Please uninstall that as you did on the previous laptop through the Control Panel.

[DonnaB]

Hi my_name,

After a thorough look through the logs I can confirm that this last computer is not infected either. There are a few orphaned files that we can remove so let's do that then scan with JRT and AdwCleaner.

• Open notepad (Start orb > type notepad into Start Search > chose notepad from list.
• Please copy the entire contents of the code box below.
  (To do this highlight the contents of the box, right click on it and select copy.
• Right-click in the open notepad and select Paste).
• Save it to the same directory as frst.exe (or frst64.exe) as fixlist.txt.
  
  

  CreateRestorePoint:
  2016-04-22 15:39 - 2016-04-22 15:40 - 00000000 ____D C:\ProgramData\Norton
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
  CustomCLSID: HKU\S-1-5-21-2112759670-3577205592-1219129408-1002_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Z\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
  Task: {0B6ABAA5-66FA-4DB3-8F33-F05BA469A557} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
  Task: {25960F9B-06BB-4C42-A015-0C437F856659} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
  Task: {3142F402-43E3-4774-B141-FD859678F075} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
  Task: {508BEC41-0069-428A-947C-E65DC7FE0151} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
  Task: {A8871FC6-A1EF-4995-B374-CEAF0FB10A28} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
  Task: {AFB40FCE-6373-4566-818D-92F01641C51E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
  Task: {B768AA03-8233-4EEF-926B-EC8835AA3999} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
  Task: {BCCA6E44-FF89-46CC-9EB2-980E5F589457} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
  Task: {E17E24F3-CA29-4754-81AA-07B69020BDB1} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
  Task: {E9827CAA-4799-4847-8E36-89EACD4359C9} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
  Task: {EEC03B5F-A91A-4A13-9078-3E5CFE4503DC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
  Hosts:
  EmptyTemp:
  

  NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
• Run frst.exe (on 64bit, run frst64.exe) and press the Fix button just once and wait.
• The tool will make a log (Fixlog.txt) which you will find where you saved FRST. Please post it to your reply.
• Next
  
  Please download Junkware Removal Tool to your desktop.
  • Disable your AV protection software now to avoid potential conflicts.
  • Run the tool by double-clicking on XP. Or right click and select Run as Administrator Vista/Win7 and above.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  Next:
  
  Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.
  Please post the following logs:
  
  Fixlog.txt
  JRT.txt
  AdwCleaner
  
  Thank you,
  Donna

[my_name]

Here is the fixlog file, I'm working on the other two now.

Attached Files

•  Fixlog.txt   9.87KB   143 downloads

[my_name]

Ok, I finished with the other two:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by Z (Administrator) on Wed 05/11/2016 at 21:31:35.45
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 10

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\ProgramData\Start Menu\Programs\coupons (Folder)
Successfully deleted: C:\Users\Z\AppData\Roaming\9282 (Folder)
Successfully deleted: C:\Users\Z\AppData\Roaming\Mozilla\Firefox\Profiles\23li36e7.default\searchplugins\startpage-hxxps.xml (File)
Successfully deleted: C:\Users\Z\AppData\Roaming\new version available (Folder)
Successfully deleted: C:\Users\Z\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\WINDOWS\couponprinter.ocx (File)
Successfully deleted: C:\WINDOWS\system32\Tasks\Uninstaller_SkipUac_Z (Task)
Successfully deleted: C:\WINDOWS\Tasks\Uninstaller_SkipUac_Z.job (Task)
Successfully deleted: C:\Program Files (x86)\coupons (Folder)



Registry: 1

Successfully deleted: HKLM\SYSTEM\CurrentControlSet\services\CouponPrinterService (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 05/11/2016 at 21:32:51.86
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

 

 

 

# AdwCleaner v5.116 - Logfile created 11/05/2016 at 21:35:54
# Updated 09/05/2016 by Xplode
# Database : 2016-05-09.1 [Server]
# Operating system : Windows 10 Home  (X64)
# Username : Z - WINDOWS-PAEQJ93
# Running from : C:\Users\Z\Desktop\adwcleaner_5.116.exe
# Option : Clean
# Support : http://toolslib.net/forum

***** [ Services ] *****

[-] Service Deleted : CouponPrinterService

***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\Digital Coupon Printer
[-] Folder Deleted : C:\Program Files (x86)\PrintMyCouponAnywhere
[-] Folder Deleted : C:\Users\Z\AppData\Roaming\catalina – print savings
[-] Folder Deleted : C:\Users\Z\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\catalina – print savings

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37331C16-3E97-4A20-80D8-BFB43AB0E2FB}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\shopathome.com
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.shopathome.com

***** [ Web browsers ] *****


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1953 bytes] - [11/05/2016 21:35:54]
C:\AdwCleaner\AdwCleaner[S1].txt - [1938 bytes] - [11/05/2016 21:34:47]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2099 bytes] ##########
 

[DonnaB]

How is this computer behaving?

[my_name]

This computer seems okay. Thank you for scanning it for me so I can feel better about it being free of all malware.

[DonnaB]

Truly my pleasure

I wonder... have you even discussed this with friends, family or neighbors who have the same Internet Service Provider? Maybe have them check their IP's?

Let's remove the tools from this computer.

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report.
  Please paste it for my review.

[my_name]

Thank you so much for all your help and patience with me, Donna.  It truly is appreciated, and I learned a lot through all of this.  I am really glad that we know the malware is not coming from our computers.  Because of working with you, I also have much better security settings on my router now and the old laptop is running so much more quietly and cooler thanks to your advice on cleaning it out.

 

 

 

# DelFix v1.013 - Logfile created 11/05/2016 at 22:20:58
# Updated 17/04/2016 by Xplode
# Username : Z - WINDOWS-PAEQJ93
# Operating System : Windows 10 Home  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\Z\Desktop\Addition.txt
Deleted : C:\Users\Z\Desktop\adwcleaner_5.116.exe
Deleted : C:\Users\Z\Desktop\Fixlog.txt
Deleted : C:\Users\Z\Desktop\FRST.txt
Deleted : C:\Users\Z\Desktop\FRST64.exe
Deleted : C:\Users\Z\Desktop\JRT.exe
Deleted : C:\Users\Z\Desktop\JRT.txt

~ Cleaning system restore ...

Deleted : RP #24 [Scheduled Checkpoint | 04/24/2016 02:36:40]
Deleted : RP #25 [Scheduled Checkpoint | 05/02/2016 16:48:58]
Deleted : RP #26 [Windows Update | 05/10/2016 22:22:36]
Deleted : RP #28 [Restore Point Created by FRST | 05/12/2016 02:23:43]
Deleted : RP #29 [JRT Pre-Junkware Removal | 05/12/2016 02:31:37]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########
 

[DonnaB]

You're welcome my_name,

I do believe that I learned as much as you did. Still, I would try to contact your ISP and tell them your IP was found to be blacklisted and ask what, if anything, could be done to fix this. I doubt anything could but it is worth trying..

There are a couple programs that I would like to introduce you to that will help to keep you safe and infection free. You can download and install on one coputer or all your computers.

I had you download McSheild2 onto one of your computers already. Might be a good idea to install it on a your computers. The instructions are found here.

Please download >>Unchecky<<

You can read about this handy little app here.

• Click on the link above to be taken to Unchecky.com
• click the very large Download button.
• click Save
• Click Open folder
• Right click on the Unchecky_setup and choose to Run as Administrator
• Once open click the Install button.
• Then click on Finish
• Unchecky is now installed and will help you keep any unwanted check boxes unchecked, this is a fire and forget program
  
  Next:
  
  Download CryptoPrevent free for home use herefollowing the instructions below.
  • Save the file to your desktop from the link above and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • Accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This is good and will launch the program once you click Finish.
  • You will get a prompt asking if you purchased a Product Key for Automatic Updates. You can answer No.
  • You will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to.
  • You will then be prompted to apply all default protections. Answer Yes.
  • You may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.
  That's it. The protection is in place.
  Note: The free version doesn't provide automatic updates. Periodically, you should open up the program (there is a shortcut on your desktop now) and select the Updates! menu....and select Check for Updates to see if there are any as this infection has serious consequences.
  
  
  
  Next:
  
  WOT = Web of Trust
  • WOT, (Web of Trust), warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory.
  • WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
  • Green to go
  • Yellow for caution
  • Red to stop
  • WOT' has an addon available for Firefox, Google Chrome, Internet Explorer, Safari and Opera.
  Next:
  
  Heimdal Free will update some of the more commonly-targeted programs on home PCs within an hour of the update being publicly released. Updated programs include Internet Explorer, Adobe Flash Player/Plugin, Quicktime, and a few more. You can get the software from here and read more about it on the same page.
  
  Next:
  
  Keeping Autorun enabled on USB and other removable drives has become a significant security risk due to the increasing number of malware variants that can infect them and transfer the infection to your computer. To learn more about this risk, please read: USB-Based Malware Attacks.
  When is AUTORUN.INF really an AUTORUN.INF?.
  Please disable Autorun asap!.
  If you have any questions, please don't hesitate to ask.
  
  Donna