Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Did I get it all?!?!?


  • This topic is locked This topic is locked

#1
cmcnick

cmcnick

    Member

  • Member
  • PipPip
  • 11 posts

Pretty mad because I posted a detailed post that took a while to type out and the site gave me a 403 gate and deleted post. I am attaching a farbar recovery log. Can someone help me go through it to make sure I cleaned all the junk off my comp? Tools already used:

 

MBAM

JRT

RKill

TDSSKiller

Spybot

SuperAntiSpyware

Zemana

Farbar

 

 

Attached Files


  • 0

Advertisements


#2
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Please disregard thos logs. i did not run as admin. Am currently rerunning and will post as soon as complete. 


  • 0

#3
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

These are the FRST files ran under admin rights. Sorry for the confusion. 

Attached Files


  • 0

#4
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)


I need time to look over the log files.

Exactly what were you trying to remove and what were the symptoms of the computer to cause you to run all those Malware tools ? Did running the tools fix the symptoms you were having ?

From a brief glance the logs look ok a few minor things, I'll go back an do a more thorough look at them and get back to you.

The forum is currently experiencing an issue with the 403 error, I was wondering are you able to paste the logs into the forum or do you continue to get the 403 Error.

I'll get back to you as soon as possible and address what's left in the log files.

Thanks
Joe
  • 0

#5
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Hey Joe! 

 

Thanks for taking a look. So I normally run malwarebytes once a month or so just to keep on the up and up. Scans don't take long and it seems to work fine. I was working on another PC and realized I hadn't run any scans in a while and decided to run Mbam. During the chameleon startup process, it detected and stopped PUP.Spigot (ugh). When it finished scanning it found 3 entries for CouponPrinter (FUUUUUUUUUU). Okay so I reboot, run rkill and it doesn't find anything interesting, and run adwcleaner. It finds like 18 instances of Couponprinter. Great. Reboot, run rkill and this time it finds issues with the HOST file, claims to have fixed them and posts a bunch of wonky porn sites all with the same IP address. I check HOST and it says they were imported by Spybot (weird). Okay so Rkill again, TDSSKILLER, no results (typical for me from this tool). Reboot, rkill, JRT, more coupon junk. Zemana, more coupon junk. Okay I think I got it all, run HitmanPRO to double check, find more coupon junk. Great. Run SuperAntispyware, finds more junk and after all this I still can't pick a default browser so something is still buggy. That being said I looked around, found you guys and thought I'd give it a shot. Ran the farbar logs and here we are. I havent tried to post the logs aginso no clue on te 403 issue. I'll update if/when you have me post more logs. 


  • 0

#6
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Hello,

Here's just part of your host file.
 

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com

Nothing wrong with that, it's called a custom host file made by spybot, the IP address is YOUR local machine or your computer (Home). If you tried to go to those shady sites the host file would block it and send you back home to 127.0.0.1 or home. No place like home they say!!

A few things to fix though

Download the enclosed =>Attached File  fixlist.txt   2.64KB   40 downloads Save it in the location FRST64 is.->\\CHRIS-PC\Downloads Run FRST and click on the Fix button. Wait until finished.

The tool will make a log called (Fixlog.txt) in the location FRST is,-> \\CHRIS-PC\Downloads.

Please post (Fixlog.txt). to your reply or attach it.
  • 0

#7
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Fix result of Farbar Recovery Scan Tool (x64) Version: 29-08-2016
Ran by Chris (30-08-2016 17:34:39) Run:1
Running from \\CHRIS-PC\Downloads
Loaded Profiles: Chris (Available Profiles: Chris & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
GroupPolicyScripts-x32: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> DefaultScope value is missing
U3 idsvc; no ImagePath
C:\Users\Chris\AppData\Local\Temp\libeay32.dll
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll
CustomCLSID: HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\Chris\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\Chris\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\Chris\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
Task: {134AA8EA-5AFB-432F-8F7F-39988B850E43} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {302E9C3A-00B9-420B-B168-211E9E4012B0} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {3C81AF2C-5016-4542-BDD5-63129225BA0F} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {44D894DA-F80F-4DD0-BD12-6DECF6D1E4AD} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {6C50031E-68CB-4933-863B-6BBD4470FD4C} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {6CD88E86-3981-4F2A-BC5C-A0F4E462747F} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {7EEDDB41-3EDB-4A30-B928-48942ECD94C5} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {AECE7103-747D-418B-A6F3-3DF591EC78E7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {B5713F46-1A3F-430C-9DAA-88E666187C8A} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {C5ABCD96-6775-4E19-A1E7-3CF2A6B1C96D} - System32\Tasks\4686 => Wscript.exe C:\Users\Chris\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION
Task: {D2A75EAA-0B54-4EF6-A62C-199102C8043D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D866AD2A-9C6F-45CC-89FB-AC2877561C8B} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:D48500F8 [96]
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
Emptytemp:
*****************
 
Processes closed successfully.
Restore point was successfully created.
C:\WINDOWS\SysWOW64\GroupPolicy\Machine => moved successfully
C:\WINDOWS\system32\GroupPolicy\GPT.ini => moved successfully
C:\WINDOWS\SysWOW64\GroupPolicy\GPT.ini => moved successfully
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
idsvc => service removed successfully
C:\Users\Chris\AppData\Local\Temp\libeay32.dll => moved successfully
C:\Users\Chris\AppData\Local\Temp\msvcr120.dll => moved successfully
C:\Users\Chris\AppData\Local\Temp\sqlite3.dll => moved successfully
"HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}" => key removed successfully
"HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}" => key removed successfully
"HKU\S-1-5-21-3686218881-3921037133-2243164661-1002_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{134AA8EA-5AFB-432F-8F7F-39988B850E43}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{134AA8EA-5AFB-432F-8F7F-39988B850E43}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{302E9C3A-00B9-420B-B168-211E9E4012B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{302E9C3A-00B9-420B-B168-211E9E4012B0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{3C81AF2C-5016-4542-BDD5-63129225BA0F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3C81AF2C-5016-4542-BDD5-63129225BA0F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{44D894DA-F80F-4DD0-BD12-6DECF6D1E4AD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{44D894DA-F80F-4DD0-BD12-6DECF6D1E4AD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6C50031E-68CB-4933-863B-6BBD4470FD4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C50031E-68CB-4933-863B-6BBD4470FD4C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6CD88E86-3981-4F2A-BC5C-A0F4E462747F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6CD88E86-3981-4F2A-BC5C-A0F4E462747F}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{7EEDDB41-3EDB-4A30-B928-48942ECD94C5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7EEDDB41-3EDB-4A30-B928-48942ECD94C5}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AECE7103-747D-418B-A6F3-3DF591EC78E7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AECE7103-747D-418B-A6F3-3DF591EC78E7}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B5713F46-1A3F-430C-9DAA-88E666187C8A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B5713F46-1A3F-430C-9DAA-88E666187C8A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5ABCD96-6775-4E19-A1E7-3CF2A6B1C96D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5ABCD96-6775-4E19-A1E7-3CF2A6B1C96D}" => key removed successfully
C:\WINDOWS\System32\Tasks\4686 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\4686" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D2A75EAA-0B54-4EF6-A62C-199102C8043D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D2A75EAA-0B54-4EF6-A62C-199102C8043D}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{D866AD2A-9C6F-45CC-89FB-AC2877561C8B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D866AD2A-9C6F-45CC-89FB-AC2877561C8B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
C:\ProgramData\Temp => ":D48500F8" ADS removed successfully.
 
========= bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.8.10586 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {C2A16EA1-6CC2-42D6-90B2-743F2410FE6F}.
0 out of 1 jobs canceled.
 
========= End of CMD: =========
 
 
========= netsh winsock reset catalog =========
 
 
Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.
 
 
========= End of CMD: =========
 
 
========= ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 32768 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 14185388 B
Java, Flash, Steam htmlcache => 377648644 B
Windows/system/drivers => 12758183 B
Edge => 3152221 B
Chrome => 828213652 B
Firefox => 11922770 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Default => 13832 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 4288 B
NetworkService => -650 B
Chris => 41599257 B
DefaultAppPool => 13832 B
 
RecycleBin => 3991 B
EmptyTemp: => 1.2 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 17:35:41 ====

  • 0

#8
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Re: Superantispyware is always going to find tracking cookies and there harmless,

Your logs are clean.

As far as the default browser issue I'm not certain what's taking place there
  • 0

#9
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Thanks Joe! I really appreciate the time you took to go through my logs and help me. Obviously I'm interested in malware removal. Any thoughts on how I should go about learning more on the topic? Say, being able to read these logs myself?


  • 0

#10
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Take Malware removal training right here at geekstogo......

Geek University (or GeekU) is a training course that teaches the techniques and tools of malware removal. Graduates will be able to completely remove most infections without assistance. The training is geared toward removal in an online environment. Other methods likely work better if you're in front of the infected system. Students that complete training are expected to "pay it forward" by assisting in the forums, where they can continue to keep abreast of evolving malware and removal techniques. All training is free...

http://www.geekstogo...-fight-malware/


We need to remove the tools we used. This will include the tools you downloaded and the log files too

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

Why we need to remove some of our tools:
Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight. They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

Download DelFix by Xplode and save it to your desktop.
  • Run the tool by right click on the 51a5ce45263de-delfix.png icon and Run as administrator option.
  • Make sure that these ones are checked:
    • Remove disinfection tools
    • Purge system restore
    • Reset system settings
  • Push Run.
  • The program will run for a few seconds and display a notepad report.
    Paste it for my review.

  • 0

#11
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
# DelFix v1.013 - Logfile created 31/08/2016 at 17:12:37
# Updated 17/04/2016 by Xplode
# Username : Chris - CHRIS-PC
# Operating System : Windows 10 Home  (64 bits)
 
~ Removing disinfection tools ...
 
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\TDSSKiller.3.1.0.11_27.08.2016_21.00.14_log.txt
Deleted : C:\Users\Chris\Desktop\Rkill.txt
Deleted : C:\Users\Chris\Downloads\adwcleaner_4.107.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Soeperman Enterprises Ltd.
Deleted : HKLM\SOFTWARE\TrendMicro\Hijackthis
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\HijackThis.exe
 
~ Cleaning system restore ...
 
Deleted : RP #73 [Windows Update | 08/18/2016 07:49:41]
Deleted : RP #74 [Windows Update | 08/21/2016 16:20:26]
Deleted : RP #75 [Windows Update | 08/27/2016 13:26:04]
Deleted : RP #76 [JRT Pre-Junkware Removal | 08/28/2016 00:54:59]
Deleted : RP #78 [Restore Point Created by FRST | 08/30/2016 21:34:43]
 
New restore point created !
 
~ Resetting system settings ... OK
 
########## - EOF - ##########

  • 0

#12
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

Sorry the reply took so long. I have limited access to my computer while at work and my kids have been sick.


  • 0

#13
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Looks good.

If there are no further issues we can close the topic.
  • 0

#14
cmcnick

cmcnick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts

I just applied to the GeekU program so please close the topic. I don't want to get disqualified for having an open topic. Thanks again for all your help!


  • 0

#15
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,797 posts
Good luck, I'll be watching.


Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP