Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Laptop infected; popups, redirects, error log, slow moving browser....

Started by christiety03 , Dec 09 2016 08:33 AM
virus malware spyware

  • Please log in to reply

#16
zep516
Posted 09 December 2016 - 01:31 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mapsgalaxy] => C:\Users\Owner\AppData\Local\Temp\7253453\ic-0.31ccf056389018.exe -start <===== ATTENTION
C:\Users\Owner\AppData\Local\Temp\7253453
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\...\Run: [oniklo] => rundll32.exe "C:\Users\Owner\AppData\Local\oniklo.dll",oniklo <===== ATTENTION
C:\Users\Owner\AppData\Local\oniklo.dll
"C:\Users\Owner\AppData\Local\oniklo.dll"
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {57FB77C4-A0F7-457B-9310-661C01DC5DA7} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
S3 dbx; system32\DRIVERS\dbx.sys [X]
2016-12-06 17:59 - 2016-12-06 17:59 - 02001079 _____ C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [132] 
FirewallRules: [{15917833-B7A8-4389-927C-B8A58886AFC7}] => C:\Users\Owner\AppData\Local\ddnow.exe
FirewallRules: [{F690E5B5-DE78-4E87-9380-E84090FCDB0A}] => C:\Users\Owner\AppData\Local\Temp\installer1.exe
FirewallRules: [{97F46F78-E874-42D0-A9C7-09F0C475D080}] => C:\Users\Owner\AppData\Local\29924446.exe
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\ProgramData\McAfee
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\Program Files (x86)\McAfee
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
RemoveProxy:
hosts:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.
  • 0

Advertisements

#17
christiety03
Posted 09 December 2016 - 02:27 PM

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Owner (09-12-2016 15:12:35) Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mapsgalaxy] => C:\Users\Owner\AppData\Local\Temp\7253453\ic-0.31ccf056389018.exe -start <===== ATTENTION
C:\Users\Owner\AppData\Local\Temp\7253453
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\...\Run: [oniklo] => rundll32.exe "C:\Users\Owner\AppData\Local\oniklo.dll",oniklo <===== ATTENTION
C:\Users\Owner\AppData\Local\oniklo.dll
"C:\Users\Owner\AppData\Local\oniklo.dll"
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {57FB77C4-A0F7-457B-9310-661C01DC5DA7} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
S3 dbx; system32\DRIVERS\dbx.sys [X]
2016-12-06 17:59 - 2016-12-06 17:59 - 02001079 _____ C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [132]
FirewallRules: [{15917833-B7A8-4389-927C-B8A58886AFC7}] => C:\Users\Owner\AppData\Local\ddnow.exe
FirewallRules: [{F690E5B5-DE78-4E87-9380-E84090FCDB0A}] => C:\Users\Owner\AppData\Local\Temp\installer1.exe
FirewallRules: [{97F46F78-E874-42D0-A9C7-09F0C475D080}] => C:\Users\Owner\AppData\Local\29924446.exe
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\ProgramData\McAfee
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\Program Files (x86)\McAfee
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\mapsgalaxy => value removed successfully
"C:\Users\Owner\AppData\Local\Temp\7253453" => not found.
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\Software\Microsoft\Windows\CurrentVersion\Run\\oniklo => value removed successfully
"C:\Users\Owner\AppData\Local\oniklo.dll" => not found.
"C:\Users\Owner\AppData\Local\oniklo.dll" => not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{57FB77C4-A0F7-457B-9310-661C01DC5DA7}" => key removed successfully
HKCR\CLSID\{57FB77C4-A0F7-457B-9310-661C01DC5DA7} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66}" => key removed successfully
HKCR\CLSID\{012E1000-F331-11DB-8314-0800200C9A66} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4}" => key removed successfully
HKCR\CLSID\{4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
dbx => service removed successfully
C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

C:\ProgramData\TEMP => ":0FF263E8" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{15917833-B7A8-4389-927C-B8A58886AFC7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F690E5B5-DE78-4E87-9380-E84090FCDB0A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{97F46F78-E874-42D0-A9C7-09F0C475D080} => value removed successfully
C:\ProgramData\McAfee => moved successfully
C:\Program Files (x86)\McAfee => moved successfully

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9671231 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 155006 B
Edge => 0 B
Chrome => 12082176 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 1582 B
NetworkService => 0 B
Owner => 17207600 B

RecycleBin => 233577 B
EmptyTemp: => 49.5 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:13:30 ====


  • 0

#18
zep516
Posted 09 December 2016 - 02:28 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
How is the computer running ? What issues remain ?
  • 0

#19
christiety03
Posted 09 December 2016 - 02:34 PM

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Its running much better! Only issue I still see is 2 Notepad pop ups upon startup, is there a way to discontinue?

Thank you so much for your help, its very appreciated. Do you recommend a protection program?


  • 0

#20
zep516
Posted 09 December 2016 - 02:37 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts

I still see is 2 Notepad pop ups upon startup,

What do they say ?

What happened to McAfee ?
  • 0

#21
christiety03
Posted 09 December 2016 - 02:59 PM

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

They seem to be error logs? They come up upon start up. They are blank, but the heading of the box says errorlog.


  • 0

#22
zep516
Posted 09 December 2016 - 03:13 PM

zep516

    Trusted Helper

  • Malware Removal
  • 8,093 posts
This fix should get rid of both those notepad pop ups at start up.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
start
CloseProcesses:
CreateRestorePoint:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2016-12-08] ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2016-12-08] ()
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Do you recommend a protection program?

Avast free,
https://www.avast.co...ivirus-download
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics


Also tagged with one or more of these keywords: virus, malware, spyware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP