Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Laptop infected; popups, redirects, error log, slow moving browser....

virus malware spyware

  • Please log in to reply

#16
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
A few items to fix

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mapsgalaxy] => C:\Users\Owner\AppData\Local\Temp\7253453\ic-0.31ccf056389018.exe -start <===== ATTENTION
C:\Users\Owner\AppData\Local\Temp\7253453
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\...\Run: [oniklo] => rundll32.exe "C:\Users\Owner\AppData\Local\oniklo.dll",oniklo <===== ATTENTION
C:\Users\Owner\AppData\Local\oniklo.dll
"C:\Users\Owner\AppData\Local\oniklo.dll"
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {57FB77C4-A0F7-457B-9310-661C01DC5DA7} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
S3 dbx; system32\DRIVERS\dbx.sys [X]
2016-12-06 17:59 - 2016-12-06 17:59 - 02001079 _____ C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [132] 
FirewallRules: [{15917833-B7A8-4389-927C-B8A58886AFC7}] => C:\Users\Owner\AppData\Local\ddnow.exe
FirewallRules: [{F690E5B5-DE78-4E87-9380-E84090FCDB0A}] => C:\Users\Owner\AppData\Local\Temp\installer1.exe
FirewallRules: [{97F46F78-E874-42D0-A9C7-09F0C475D080}] => C:\Users\Owner\AppData\Local\29924446.exe
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\ProgramData\McAfee
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\Program Files (x86)\McAfee
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
RemoveProxy:
hosts:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.
  • 0

Advertisements


#17
christiety03

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Fix result of Farbar Recovery Scan Tool (x64) Version: 07-12-2016
Ran by Owner (09-12-2016 15:12:35) Run:1
Running from C:\Users\Owner\Desktop
Loaded Profiles: Owner (Available Profiles: Owner)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [mapsgalaxy] => C:\Users\Owner\AppData\Local\Temp\7253453\ic-0.31ccf056389018.exe -start <===== ATTENTION
C:\Users\Owner\AppData\Local\Temp\7253453
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\...\Run: [oniklo] => rundll32.exe "C:\Users\Owner\AppData\Local\oniklo.dll",oniklo <===== ATTENTION
C:\Users\Owner\AppData\Local\oniklo.dll
"C:\Users\Owner\AppData\Local\oniklo.dll"
HKU\S-1-5-18\...\Run: [] => 0
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {57FB77C4-A0F7-457B-9310-661C01DC5DA7} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1984768383-2945694233-2252105598-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-154371-11896-2/4 ?mpre=http%3A%2F%2Fwww.ebay.com%2Fsch%2F%3F_nkw%3D{searchTerms}&keyword={searchTerms}
StartMenuInternet: IEXPLORE.EXE - iexplore.exe
S3 dbx; system32\DRIVERS\dbx.sys [X]
2016-12-06 17:59 - 2016-12-06 17:59 - 02001079 _____ C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
AlternateDataStreams: C:\ProgramData\TEMP:0FF263E8 [132]
FirewallRules: [{15917833-B7A8-4389-927C-B8A58886AFC7}] => C:\Users\Owner\AppData\Local\ddnow.exe
FirewallRules: [{F690E5B5-DE78-4E87-9380-E84090FCDB0A}] => C:\Users\Owner\AppData\Local\Temp\installer1.exe
FirewallRules: [{97F46F78-E874-42D0-A9C7-09F0C475D080}] => C:\Users\Owner\AppData\Local\29924446.exe
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\ProgramData\McAfee
2016-12-09 11:36 - 2016-05-07 16:16 - 00000000 ____D C:\Program Files (x86)\McAfee
CMD: bitsadmin /reset /allusers
CMD: ipconfig /flushdns
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
RemoveProxy:
hosts:
Emptytemp:
*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\mapsgalaxy => value removed successfully
"C:\Users\Owner\AppData\Local\Temp\7253453" => not found.
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\Software\Microsoft\Windows\CurrentVersion\Run\\oniklo => value removed successfully
"C:\Users\Owner\AppData\Local\oniklo.dll" => not found.
"C:\Users\Owner\AppData\Local\oniklo.dll" => not found.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{57FB77C4-A0F7-457B-9310-661C01DC5DA7}" => key removed successfully
HKCR\CLSID\{57FB77C4-A0F7-457B-9310-661C01DC5DA7} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{012E1000-F331-11DB-8314-0800200C9A66}" => key removed successfully
HKCR\CLSID\{012E1000-F331-11DB-8314-0800200C9A66} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4}" => key removed successfully
HKCR\CLSID\{4A4AC7EA-3F17-4748-AFCF-E8F9F2B747B4} => key not found.
"HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\\Default => value restored successfully
dbx => service removed successfully
C:\Windows\97b4226e82053e864b386d56e6ff8b45.exe => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

C:\ProgramData\TEMP => ":0FF263E8" ADS removed successfully.
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{15917833-B7A8-4389-927C-B8A58886AFC7} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F690E5B5-DE78-4E87-9380-E84090FCDB0A} => value removed successfully
HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{97F46F78-E874-42D0-A9C7-09F0C475D080} => value removed successfully
C:\ProgramData\McAfee => moved successfully
C:\Program Files (x86)\McAfee => moved successfully

========= bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

0 out of 0 jobs canceled.

========= End of CMD: =========

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh advfirewall reset =========

Ok.

========= End of CMD: =========

========= netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-1984768383-2945694233-2252105598-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 12582912 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 9671231 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 155006 B
Edge => 0 B
Chrome => 12082176 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 1582 B
NetworkService => 0 B
Owner => 17207600 B

RecycleBin => 233577 B
EmptyTemp: => 49.5 MB temporary data Removed.

================================

The system needed a reboot.

==== End of Fixlog 15:13:30 ====


  • 0

#18
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
How is the computer running ? What issues remain ?
  • 0

#19
christiety03

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Its running much better! Only issue I still see is 2 Notepad pop ups upon startup, is there a way to discontinue?

Thank you so much for your help, its very appreciated. Do you recommend a protection program?


  • 0

#20
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts

I still see is 2 Notepad pop ups upon startup,

What do they say ?

What happened to McAfee ?
  • 0

#21
christiety03

christiety03

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

They seem to be error logs? They come up upon start up. They are blank, but the heading of the box says errorlog.


  • 0

#22
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,804 posts
This fix should get rid of both those notepad pop ups at start up.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.
start
CloseProcesses:
CreateRestorePoint:
Startup: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2016-12-08] ()
Startup: C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\errorlog.txt [2016-12-08] ()
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

Do you recommend a protection program?

Avast free,
https://www.avast.co...ivirus-download
  • 0






Similar Topics


Also tagged with one or more of these keywords: virus, malware, spyware

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP