Solved Help getting rid of redirect virus?

June 24, 2016 at 05:38:44
Specs: Windows 10
I am having an issue with a redirect virus on my pc. I'm running Windows 10 and using Chrome, and regularly run AdvancedSystemCare and Avast scans, and I have avast running as an active anti-virus. Neither program found anything after recent scans, but I am definitely having a problem. I ran a scan on hijackthis but I don't know enough about what should be there to recognize if there is something that shouldn't.

Here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.5
Scan saved at 8:29:50 AM, on 6/24/2016
Platform: Unknown Windows (WinNT 6.02.1008)
MSIE: Internet Explorer v11.0 (11.00.10586.0420)


Boot mode: Normal

Running processes:
C:\Program Files (x86)\Kloudian\Orbweb Me\run.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\Kloudian\Orbweb Me\webcam.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\kloudian\Orbweb Me\nginx\nginx.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 7\Monitor.exe
C:\Program Files\pia_manager\pia_manager.exe
C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Gavin\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Gavin\AppData\Local\FluxSoftware\Flux\flux.exe
C:\Program Files (x86)\Ralink\Common\RaUI.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\Gavin\AppData\Local\Temp\ocr882D.tmp\bin\rubyw.exe
C:\Program Files\pia_manager\pia_manager.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Users\Gavin\AppData\Local\Temp\ocr1828.tmp\bin\rubyw.exe
C:\Program Files\pia_manager\pia_tray\pia_tray.exe
C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\WindowsApps\Microsoft.Messaging_2.15.20002.0_x86__8wekyb3d8bbwe\SkypeHost.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
F:\Users\Gavin\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/?fr=yset_ie_s...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/p/?L...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/p/?L...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\ssv.dll
O2 - BHO: avast! Online Security - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Advanced SystemCare Surfing Protection - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\PROGRA~2\IObit\SURFIN~1\BROWER~1\ASCPlugin_Protection.dll
O2 - BHO: (no name) - {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_91\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [AvastUI.exe] "C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
O4 - HKLM\..\Run: [IObit Malware Fighter] "C:\Program Files (x86)\IObit\IObit Malware Fighter\IMF.exe" /autostart
O4 - HKLM\..\Run: [ISUSPM] C:\ProgramData\FLEXnet\Connect\11\\isuspm.exe -scheduler
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Advanced SystemCare 7] "C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCTray.exe" /Auto
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Users\Gavin\AppData\Roaming\Octoshape\Octoshape Streaming Services\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [GoogleChromeAutoLaunch_0477114E6D4D5C6A3EC1F4BBA6E33D15] "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --no-startup-window
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [f.lux] "C:\Users\Gavin\AppData\Local\FluxSoftware\Flux\flux.exe" /noshow
O4 - HKUS\S-1-5-19\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-1014425561-813898150-3024837209-1003\..\Run: [OneDriveSetup] C:\Windows\SysWOW64\OneDriveSetup.exe /thfirstsetup (User 'OrbwebAdmin')
O4 - HKUS\S-1-5-21-1014425561-813898150-3024837209-1003\..\RunOnce: [WAB Migrate] %ProgramFiles%\Windows Mail\wab.exe /Upgrade (User 'OrbwebAdmin')
O4 - Startup: Verizon Wireless Software Utility Application for Android – Samsung.lnk = C:\Users\Gavin\AppData\Roaming\VERIZON\UA_ar\UA.exe
O4 - Global Startup: Nuance Cloud Connector.lnk = C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladLauncher.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files (x86)\Ralink\Common\RaUI.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office 15\root\Office15\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {F9CD2233-6744-47C1-A6AE-00C30A35F73D} - https://myaccount.cox.net/internett...
O17 - HKLM\System\CCS\Services\Tcpip\..\{379e4868-0c63-42c1-ae41-7dbce46bc0cd}: NameServer = 68.105.28.11 68.105.29.11 68.105.28.12
O18 - Protocol: osf - {D924BDC6-C83A-4BD5-90D0-095128A113D1} - C:\Program Files\Microsoft Office 15\root\Office15\MSOSB.DLL
O18 - Protocol: tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: windows.tbauth - {14654CA6-5711-491D-B89A-58E571679951} - C:\Windows\SysWOW64\tbauth.dll
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Advanced SystemCare Service 7 (AdvancedSystemCareService7) - IObit - C:\Program Files (x86)\IObit\Advanced SystemCare 7\ASCService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\WINDOWS\system32\atiesrxx.exe (file missing)
O23 - Service: ASRock IO Monitor Service (ASRockIOMon) - Unknown owner - C:\Program Files (x86)\ASRock Utility\A-Tuning\Bin\IOMonitorSrv.exe
O23 - Service: Avast Antivirus (avast! Antivirus) - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: @%SystemRoot%\system32\DiagSvcs\DiagnosticsHub.StandardCollector.ServiceRes.dll,-1000 (diagnosticshub.standardcollector.service) - Unknown owner - C:\WINDOWS\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\WINDOWS\system32\fxssvc.exe (file missing)
O23 - Service: NVIDIA GeForce Experience Service (GfExperienceService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\GeForce Experience Service\GfExperienceService.exe
O23 - Service: GladFileMonSvc - Gladinet, INC - C:\Program Files (x86)\Nuance\Nuance Cloud Connector\GladFileMonSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: Intel(R) Integrated Clock Controller Service - Intel(R) ICCS (ICCS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Integrated Clock Controller Service\ICCProxy.exe
O23 - Service: @%SystemRoot%\system32\ieetwcollectorres.dll,-1000 (IEEtwCollectorService) - Unknown owner - C:\WINDOWS\system32\IEEtwCollector.exe (file missing)
O23 - Service: IMF Service (IMFservice) - IObit - C:\Program Files (x86)\IObit\IObit Malware Fighter\IMFsrv.exe
O23 - Service: Intel(R) Capability Licensing Service TCP IP Interface - Intel(R) Corporation - C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
O23 - Service: Intel® ME Service (Intel(R) ME Service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\FWService\IntelMeFWService.exe
O23 - Service: Intel(R) Update Manager (iumsvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Update Manager\bin\iumsvc.exe
O23 - Service: Intel(R) Dynamic Application Loader Host Interface Service (jhi_service) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: LiveUpdate (LiveUpdateSvc) - IObit - C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\WINDOWS\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Network Service (NvNetworkService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
O23 - Service: NVIDIA Streamer Service (NvStreamSvc) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\WINDOWS\system32\nvvsvc.exe (file missing)
O23 - Service: Orbweb ME Process (OD) - kloudian - C:\Program Files (x86)\Kloudian\Orbweb Me\process.exe
O23 - Service: Orbweb ME (OM) - kloudian - C:\Program Files (x86)\Kloudian\Orbweb Me\core.exe
O23 - Service: Orbweb Update (OU) - kloudian - C:\Program Files (x86)\Kloudian\Orbweb Me\update\update.exe
O23 - Service: PDFProFiltSrv - Unknown owner - E:\Program Files\Nuance\PDFProFiltSrv.exe (file missing)
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Program Files (x86)\Ralink\Common\RaRegistry.exe
O23 - Service: Ralink Registry Writer 64 (RalinkRegistryWriter64) - Ralink Technology, Corp. - C:\Program Files (x86)\Ralink\Common\RaRegistry64.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\WINDOWS\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SensorDataService.exe,-101 (SensorDataService) - Unknown owner - C:\WINDOWS\System32\SensorDataService.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\WINDOWS\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\WINDOWS\system32\sppsvc.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: Application Publishing Service APS (SVCM) - Unknown owner - C:\Program Files (x86)\kloudian\svcmain.exe
O23 - Service: @%SystemRoot%\system32\TieringEngineService.exe,-702 (TieringEngineService) - Unknown owner - C:\WINDOWS\system32\TieringEngineService.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\WINDOWS\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\WINDOWS\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\WINDOWS\system32\wbengine.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-320 (WdNisSvc) - Unknown owner - C:\Program Files (x86)\Windows Defender\NisSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Defender\MpAsDesc.dll,-310 (WinDefend) - Unknown owner - C:\Program Files (x86)\Windows Defender\MsMpEng.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 16285 bytes


Anyone see anything that might be causing my problem? If not, any suggestions on what I can do to fix this? I know these can be a much bigger issue than simply redirecting so I'd like to take care of it as soon as possible.


See More: Help getting rid of redirect virus?

Report •

✔ Best Answer
June 26, 2016 at 06:28:19
I'm off to bed now, here are some extra bits of info.

Extract from the FRST log.
"Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)"
Make sure ALL your Regional and Language Options settings are Ok. They will be something similar to this, the main point being, you should have at least 3 places to make sure you have your country displayed.

Windows 10: Change or Add Another Language or Region.
http://www.tech-recipes.com/rx/5633...
http://i.imgur.com/gkPnT4j.gif
http://i.imgur.com/8J4WO6U.gif
http://i.imgur.com/gtwlzJo.gif
http://i.imgur.com/vSWwH00.gif

Here is how a USER got the problems, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

Or, Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...
http://www.howtogeek.com/198622/her...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif



#1
June 24, 2016 at 06:16:53
There are several "free" cleaner utils - pest removers to run. Most run within windows; and one can And I suggest you do) also run something like Kaspersky Rescue disk. This latter is a Linux based system Down the ISO, burn to a DVD; boot with the DVD. It will load into RAM only, come up with windows style desktop. Then it will go online to update itself; after-which it will scan the hard drive fully and deal whatever it finds.

Kaspersky:

http://support.kaspersky.co.uk/viru...

http://support.kaspersky.co.uk/4162

http://tinyurl.com/h4k8yq7

and a useful tutorial from another site re' Kaspersky:

http://tinyurl.com/373ojxb

Also run (within windows) the following:

adwcleaner:

http://www.bleepingcomputer.com/dow...

malwarebytes:

http://www.bleepingcomputer.com/dow...

Junkware Removal Tool (JRT) - this loads to the desktop from where you run it. It opens into a small dos style window - follow instructions therein. It will reboot as part of its process.

http://www.bleepingcomputer.com/dow...

ccleaner:

http://filehippo.com/download_cclea...

All of the above are free; safe to use; regularly recommended here.

Retain any logs generated for possible use.

Once the system is clean... ensure you regularly duplicate/copy all your personal files to external storage (DVD at least) and regularly check/update them. Safety first...!

"Johnw" and one or two regular here likely will chip in with further advice; worth to consider/follow.

message edited by trvlr


Report •

#2
June 24, 2016 at 16:49:25
Thanks trvlr.

gmackie, Copy & Paste the contents of the logs in your reply please.


Report •

#3
June 24, 2016 at 18:14:16
Thanks for the help. I'm running that now on my desktop, but I am finding now that I am having the same issue on my laptop. Most times that I try clicking on links I am redirected three or four times before I can actually follow the link. Is it possible that this somehow got in and infected everything that is connected to my wifi network? Could it be a browser issue with chrome (maybe one of my extensions is somehow infected?) rather than a virus? It seems strange to me that avast and malwarebytes didn't turn up anything on their scans- is that normal for these kinds of thing?

I will update with logs when Kaspersky is finished running on my PC.

Edit: so Kaspersky didn't give me a log, but it didn't find anything. I'm not really sure where to go from here. There is obviously a problem, as I'm being redirected to malware sites nearly every time I try to click on a link, but nothing is able to find any issues on my pc. Any suggestions would be appreciated.

message edited by gmackie


Report •

Related Solutions

#4
June 24, 2016 at 18:56:04
"but I am finding now that I am having the same issue on my laptop"
I would turn wireless/wifi off on it.

" Is it possible that this somehow got in and infected everything that is connected to my wifi network?"
Yes, cross infection is possible.

"It seems strange to me that avast and malwarebytes didn't turn up anything on their scans- is that normal for these kinds of thing?"
That's normal, once you are infected, no single program will remove all the problems.

It is now a step by step process.


Report •

#5
June 24, 2016 at 20:23:09
Ok what is my next step here? It seems that none of these programs are detecting anything, yet there is clearly an issue. Is there anything I can do short of completely deleting these drives and reinstalling windows?

Report •

#6
June 24, 2016 at 20:24:24
We will track it down.

Next step.

Run TDSSKiller. Copy & Paste the contents of the log in your next post please.
TDSSKiller
http://www.softpedia.com/get/Antivi...
http://www.freewarefiles.com/TDSSKi...
http://www.freewarefiles.com/screen...
http://usa.kaspersky.com/downloads/...
http://support.kaspersky.com/viruse...
How to use Kaspersky TDSSKiller
http://www.malwareremovalguides.inf...
http://www.majorgeeks.com/content/p...
If TDSS doesn't run, use FixTDSS
http://www.symantec.com/content/en/...
Download FixTDSS and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Double click on the FixTDSS.exe icon to run it.
Click the "I Accept" button, then the "Proceed" button to begin
The tool will restart your computer automatically - click OK to allow it to do so
The tool will begin it's scan on reboot > click "run" to begin
It will report if an infected MBR is found > click the "repair" button
If you do not specify a full pathname, TDSSKiller will save the log in the same folder that the executable resides in.


Report •

#7
June 25, 2016 at 07:22:42
Okay, redirecting webpages. Are you sure this issue is not from your ISP?
I once used airtel a year ago and for like 6 hours it redirected all my links to www.airtel.in/error.jsp or something similar. It was an ISP error.

Report •

#8
June 25, 2016 at 07:26:47
I'm not sure at all what it is. And the fact that it is happening across multiple devices is making me think it could be an issue with an extension or the ISP. But I have xfinity, which is a pretty reputable provider, and the redirect seems to be to a bunch of random spam sites.

Report •

#9
June 25, 2016 at 07:38:17
Avery loooong shot: power down your router, and remove the power cord too, so that there is no power connected.

Then wait a couple of minutes, and power up again...

Also - a query... you refer to wifi (only?)connections being affected...(?)

If you connect via cat-5/ethernet cable - does the problem persist?


Report •

#10
June 25, 2016 at 09:08:22
Johnw- I ran the TDSSKiller and it didn't find anything. I'm not sure what the log would be, it doesn't seem to have saved a log anywhere. There is nothing in the folder other than the exe. But it ran very quickly and said it found no infected files.

I don't seem to be having the issue today. I am hoping that one of the extensions I was running on Chrome was corrupted and that removing it fixed the problem. Is that a possible explanation?

It was happening yesterday both on wifi and on my desktop, which is connected through ethernet.


Report •

#11
June 25, 2016 at 16:10:50
" I am hoping that one of the extensions I was running on Chrome was corrupted and that removing it fixed the problem. Is that a possible explanation?'
Very much so.

I will double check that possibility in these logs.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt)
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#12
June 25, 2016 at 16:18:20
Here are the logs from Farbar:

FRST: http://www69.zippyshare.com/v/ukyC2...

Addition: http://www69.zippyshare.com/v/Zocg8...

Thank you for helping so much with this!


Report •

#13
June 25, 2016 at 16:33:27
Back in about 20 mins.

Report •

#14
June 25, 2016 at 16:53:26
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
SearchScopes: HKU\S-1-5-21-1014425561-813898150-3024837209-1001 -> {F19E208D-9328-4D19-9319-969CBF9D2C39} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1014425561-813898150-3024837209-1001 -> {F8A48C4E-622F-489D-A1D1-431DF6DDB50D} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File
BHO-x32: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File
BHO-x32: No Name -> {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} -> No File
Toolbar: HKLM-x32 - No Name - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - No File
FF Plugin-x32: ZEON/PDF,version=2.0 -> E:\Program Files\Nuance\bin\nppdf.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - E:\Program Files\Avast\SafePrice\FF => not found
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - E:\Program Files\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - E:\Program Files\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
Task: {2D352E87-80AD-45C6-90D0-6E20770D1EB8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {406B7CE5-4E03-4A48-9CAC-6195C7FCFF75} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {42E66D9C-A24E-4706-B8A3-20B989D98ACD} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {606B8698-38FC-401A-A4E9-BFF7D2985DAD} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {63B79582-68EB-42BC-8C86-CBC25E1679FA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {660C81BC-2B97-4327-9EBE-7B16F3566F1B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {6BDF0173-5DD7-4FF3-9C74-4E14CDFA35E0} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {A31C7581-9480-4B5D-95DB-651BD2C5B447} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {C07E9F57-973C-458A-82B6-68B46E7B2C75} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C5602EE2-A3E3-4981-953C-73B9B791B0DC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {CA8E7600-EFE0-4F43-88C6-CB417587F931} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.

message edited by Johnw


Report •

#15
June 25, 2016 at 17:01:16
Thank you! Here is the fix log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 20-06-2016 01
Ran by Gavin (2016-06-25 19:56:36) Run:1
Running from C:\Users\Gavin\Desktop
Loaded Profiles: Gavin & OrbwebAdmin (Available Profiles: Gavin & OrbwebAdmin & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
ShellIconOverlayIdentifiers-x32: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => No File
ShellIconOverlayIdentifiers-x32: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => No File
SearchScopes: HKU\S-1-5-21-1014425561-813898150-3024837209-1001 -> {F19E208D-9328-4D19-9319-969CBF9D2C39} URL = hxxps://search.yahoo.com/search?fr=chr-greentree_ie&ei=utf-8&ilc=12&type=903578&p={searchTerms}
SearchScopes: HKU\S-1-5-21-1014425561-813898150-3024837209-1001 -> {F8A48C4E-622F-489D-A1D1-431DF6DDB50D} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
BHO: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File
BHO-x32: No Name -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> No File
BHO-x32: No Name -> {DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} -> No File
Toolbar: HKLM-x32 - No Name - {E3286BF1-E654-42FF-B4A6-5E111731DF6B} - No File
FF Plugin-x32: ZEON/PDF,version=2.0 -> E:\Program Files\Nuance\bin\nppdf.dll [No File]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - E:\Program Files\Avast\SafePrice\FF => not found
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - E:\Program Files\Avast\WebRep\Chrome\aswWebRepChromeSp.crx <not found>
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - E:\Program Files\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>
Task: {2D352E87-80AD-45C6-90D0-6E20770D1EB8} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {406B7CE5-4E03-4A48-9CAC-6195C7FCFF75} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {42E66D9C-A24E-4706-B8A3-20B989D98ACD} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {606B8698-38FC-401A-A4E9-BFF7D2985DAD} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {63B79582-68EB-42BC-8C86-CBC25E1679FA} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {660C81BC-2B97-4327-9EBE-7B16F3566F1B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {6BDF0173-5DD7-4FF3-9C74-4E14CDFA35E0} - \Microsoft\Windows\Setup\GWXTriggers\Logon-5d -> No File <==== ATTENTION
Task: {A31C7581-9480-4B5D-95DB-651BD2C5B447} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {C07E9F57-973C-458A-82B6-68B46E7B2C75} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {C5602EE2-A3E3-4981-953C-73B9B791B0DC} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {CA8E7600-EFE0-4F43-88C6-CB417587F931} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
*****************

Error: (0) Failed to create a restore point.
Processes closed successfully.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt1" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt2" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\DropboxExt3" => key removed successfully
HKCR\Wow6432Node\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => key not found.
"HKU\S-1-5-21-1014425561-813898150-3024837209-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F19E208D-9328-4D19-9319-969CBF9D2C39}" => key removed successfully
HKCR\CLSID\{F19E208D-9328-4D19-9319-969CBF9D2C39} => key not found.
"HKU\S-1-5-21-1014425561-813898150-3024837209-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F8A48C4E-622F-489D-A1D1-431DF6DDB50D}" => key removed successfully
HKCR\CLSID\{F8A48C4E-622F-489D-A1D1-431DF6DDB50D} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}" => key removed successfully
HKCR\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}" => key removed successfully
HKCR\Wow6432Node\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9}" => key removed successfully
HKCR\Wow6432Node\CLSID\{DA986D7D-CCAF-47B2-84FE-BFA1549BEBF9} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{E3286BF1-E654-42FF-B4A6-5E111731DF6B} => value removed successfully
HKCR\Wow6432Node\CLSID\{E3286BF1-E654-42FF-B4A6-5E111731DF6B} => key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\ZEON/PDF,version=2.0" => key removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\sp@avast.com => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{2D352E87-80AD-45C6-90D0-6E20770D1EB8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2D352E87-80AD-45C6-90D0-6E20770D1EB8}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{406B7CE5-4E03-4A48-9CAC-6195C7FCFF75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{406B7CE5-4E03-4A48-9CAC-6195C7FCFF75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{42E66D9C-A24E-4706-B8A3-20B989D98ACD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{42E66D9C-A24E-4706-B8A3-20B989D98ACD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{606B8698-38FC-401A-A4E9-BFF7D2985DAD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{606B8698-38FC-401A-A4E9-BFF7D2985DAD}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{63B79582-68EB-42BC-8C86-CBC25E1679FA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{63B79582-68EB-42BC-8C86-CBC25E1679FA}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{660C81BC-2B97-4327-9EBE-7B16F3566F1B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{660C81BC-2B97-4327-9EBE-7B16F3566F1B}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{6BDF0173-5DD7-4FF3-9C74-4E14CDFA35E0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6BDF0173-5DD7-4FF3-9C74-4E14CDFA35E0}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Logon-5d" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{A31C7581-9480-4B5D-95DB-651BD2C5B447}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{A31C7581-9480-4B5D-95DB-651BD2C5B447}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C07E9F57-973C-458A-82B6-68B46E7B2C75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C07E9F57-973C-458A-82B6-68B46E7B2C75}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{C5602EE2-A3E3-4981-953C-73B9B791B0DC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C5602EE2-A3E3-4981-953C-73B9B791B0DC}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{CA8E7600-EFE0-4F43-88C6-CB417587F931}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CA8E7600-EFE0-4F43-88C6-CB417587F931}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\Time-5d" => key removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 308208 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 36017996 B
Java, Flash, Steam htmlcache => 30181045 B
Windows/system/drivers => 91675608 B
Edge => 37968375 B
Chrome => 193248783 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 395024 B
NetworkService => 1625772 B
Gavin => 141018990 B
OrbwebAdmin => 10485732 B
DefaultAppPool => 0 B

RecycleBin => 588503951 B
EmptyTemp: => 1.1 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 19:57:03 ====


Report •

#16
June 25, 2016 at 17:02:18
Here are the next 2 steps, more steps may be needed, after I see the results of these logs.

Run them in this order.

Step 1: Run AdwCleaner
http://www.softpedia.com/get/Antivi...
http://www.raymond.cc/blog/adwclean...
http://www.bleepingcomputer.com/dow...
Author's site
http://general-changelog-team.fr/en...
Tutorial
http://general-changelog-team.fr/en...
Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click Scan
In the results tabs, uncheck anything you don't want to remove.
Click on Cleaning.
Confirm each time with Ok.
Your computer will be rebooted automatically. A text file will open after the restart.
Please Copy & Paste the contents of that logfile with your next answer.
You can find the logfile at C:\AdwCleaner[C1 or later].txt as well.
http://i.imgur.com/r3PoAEG.gif

Step 2: Run Malwarebytes Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.org/
http://thisisudax.blogspot.com.au/2...
Download Malwarebytes Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#17
June 25, 2016 at 17:12:24
Here is the log from adwcleaner:

# AdwCleaner v5.200 - Logfile created 25/06/2016 at 20:09:13
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-25.3 [Server]
# Operating system : Windows 10 Home (X64)
# Username : Gavin - GAVINS-PC
# Running from : C:\Users\Gavin\Desktop\adwcleaner_5.200.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\WINDOWS\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil
[-] Folder Deleted : C:\Users\Gavin\AppData\Local\YSearchUtil
[-] Folder Deleted : C:\Users\Gavin\AppData\Roaming\Search Protection
[-] Folder Deleted : C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nonjdcjchghhkdoolnlbekcfllmednbl

***** [ Files ] *****

[-] File Deleted : C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_nonjdcjchghhkdoolnlbekcfllmednbl_0.localstorage
[-] File Deleted : C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_nonjdcjchghhkdoolnlbekcfllmednbl_0.localstorage-journal

***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10921475-03CE-4E04-90CE-E2E7EF20C814}
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
[-] Key Deleted : HKCU\Software\AppDataLow\Software\Search Protection
[-] Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Search Protection
[-] Value Deleted : HKU\S-1-5-21-1014425561-813898150-3024837209-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run [Search Protection]

***** [ Web browsers ] *****

[-] [C:\Users\Gavin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : nonjdcjchghhkdoolnlbekcfllmednbl

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [2704 bytes] - [25/06/2016 20:09:13]
C:\AdwCleaner\AdwCleaner[S1].txt - [2896 bytes] - [25/06/2016 20:06:48]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [2850 bytes] ##########

Running malwarebytes now, i'll copy that in the next comment


Report •

#18
June 25, 2016 at 17:14:49
Here is the log from JRT:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by Gavin (Administrator) on Sat 06/25/2016 at 20:12:57.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 12

Successfully deleted: C:\ProgramData\iobit\driver booster (Folder)
Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Roaming\iobit\driver booster (Folder)
Successfully deleted: C:\Users\Gavin\AppData\Roaming\productdata (Folder)
Successfully deleted: C:\WINDOWS\system32\Tasks\Driver Booster Scheduler (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\Driver Booster SkipUAC (Gavin) (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\Uninstaller_SkipUac_Administrator (Task)
Successfully deleted: C:\WINDOWS\Tasks\Uninstaller_SkipUac_Administrator.job (Task)
Successfully deleted: C:\Program Files (x86)\iobit\driver booster (Folder)
Successfully deleted: C:\WINDOWS\prefetch\AVAST_FREE_ANTIVIRUS_SETUP_ON-60D93984.pf (File)
Successfully deleted: C:\WINDOWS\prefetch\DRIVERBOOSTER.EXE-51D78DCC.pf (File)
Successfully deleted: C:\WINDOWS\prefetch\FREEBIGUPGRADE.EXE-F7490079.pf (File)

Registry: 1

Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_0477114E6D4D5C6A3EC1F4BBA6E33D15 (Registry Value)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 06/25/2016 at 20:14:12.21
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#19
June 25, 2016 at 17:17:43
Nearly finished.

Extract from the fixlog.
"EmptyTemp: => 1.1 GB temporary data Removed"
Too big, even if you are a gamer.
Here are temp file settings for a normal user, adjust to suit your requirements.
Set Java to 100mb
https://steveshank.com/cgi-bin/arti...
All browsers, set to 50mb ( that's MB, not GB ) for temp.
Chrome is not so straight forward.
How to set Google Chrome cache to 50mb max temporary files.
With comps, there is always more than one way to do things, try this way.
Right click on the Google Chrome shortcut > Properties.
Copy & Paste this below after .exe" as per SS ( Screenshot )
NOTE: There is a space after .exe"
http://i.imgur.com/vgkU3X1.gif
--disk-cache-size=50000"
Click > Apply & then OK.

Extract from the Addition log.
"ATTENTION: System Restore is disabled"
Extract from the Fixlog.
"Error: (0) Failed to create a restore point"

Is it turned off deliberately?
If not, adjust your settings.


Report •

#20
June 25, 2016 at 17:28:37
I can't edit the box that it shows in your screenshot. It just says "chrome" and I cannot add anything in that text box. Here is a screenshot of what I see: http://imgur.com/JnrQnjz

I'm not sure why the system restore is disabled, that's definitely not intentional. How do I change that setting?


Report •

#21
June 25, 2016 at 17:36:06
"It just says "chrome" and I cannot add anything in that text box"
You are not right clicking on the shortcut.

"How do I change that setting?
Should be in your Help files or Google.

message edited by Johnw


Report •

#22
June 25, 2016 at 17:44:29
I didn't have a shortcut on my desktop. I just created one, right clicked on it, and went to the screen in your screenshot. What appeared is what I posted in my screenshot image.


Report •

#23
June 25, 2016 at 18:12:15
"I didn't have a shortcut on my desktop"
Use the shortcut on your taskbar.

Report •

#24
June 25, 2016 at 18:14:56
I tried editing and it is responding saying that the target box is not valid. Here is what I'm getting now: http://imgur.com/9tjHTTK

message edited by gmackie


Report •

#25
June 25, 2016 at 18:17:49
Don't know what is going on, perhaps reinstall again.

Report •

#26
June 25, 2016 at 18:21:52
"I tried editing and it is responding saying that the target box is not valid"
Our posts crossed.

There is no space after exe.


Report •

#27
June 25, 2016 at 18:28:32
There is no space in what I'm trying. I copied exactly what you posted with no space, what I got is what I posted in the screenshot. I tried it a few more times, ensuring that there is no space, and I got the same result.

Report •

#28
June 25, 2016 at 18:39:27
Here are the original instructions.
"NOTE: There is a space after .exe""

You have not put a space after exe.


Report •

#29
June 25, 2016 at 19:27:43
I tried with a space a got the same result. Sorry for the confusion before. This is what I have now: http://imgur.com/BiHsdXW

Report •

#30
June 25, 2016 at 19:33:54
You do not have " after exe

Report •

#31
June 26, 2016 at 05:23:49
Thank you, I thought that was just at the end. I think it is all set now.

Report •

#32
June 26, 2016 at 06:28:19
✔ Best Answer
I'm off to bed now, here are some extra bits of info.

Extract from the FRST log.
"Platform: Windows 10 Home Version 1511 (X64) Language: English (United States)"
Make sure ALL your Regional and Language Options settings are Ok. They will be something similar to this, the main point being, you should have at least 3 places to make sure you have your country displayed.

Windows 10: Change or Add Another Language or Region.
http://www.tech-recipes.com/rx/5633...
http://i.imgur.com/gkPnT4j.gif
http://i.imgur.com/8J4WO6U.gif
http://i.imgur.com/gtwlzJo.gif
http://i.imgur.com/vSWwH00.gif

Here is how a USER got the problems, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

Or, Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...
http://www.howtogeek.com/198622/her...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif


Report •

Ask Question