Solved How do I stop my pc sending spam

Asustek computer inc. / K53sj
June 10, 2015 at 18:27:18
Specs: Windows 7, 2.301 GHz / 8103 MB
My pc seems to be sending spam emails but they don't seem to be going to people in my address book. I keep getting undelivered mail messages from my provider. They are all unknown to me.

See More: How do I stop my pc sending spam

Report •


✔ Best Answer
June 11, 2015 at 21:13:20
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE:It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:4116B5AB
AlternateDataStreams: C:\ProgramData\Temp:56E2E879
AlternateDataStreams: C:\ProgramData\Temp:FB1B13D8
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-279346440-3864694767-3748385609-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?source...
SearchScopes: HKU\S-1-5-21-279346440-3864694767-3748385609-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Homepage: hxxp://media.telstra.com.au/home.html
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\BRIANH~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 zgwhsdiag; system32\DRIVERS\zgwhsdiag.sys [X]
S3 zgwhsnmea; system32\DRIVERS\zgwhsnmea.sys [X]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.



#1
June 10, 2015 at 18:39:12
Your email account has likely been hacked. Change your password.

Report •

#2
June 11, 2015 at 02:09:28
Also run this on it:

MalwareBytes:
http://filehippo.com/download_malwa...
(green Download button top right - not anything else on the page)
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

If it finds anything please copy/paste the log on here.

Always pop back and let us know the outcome - thanks


Report •

#3
June 11, 2015 at 04:02:38
I have run malwarebytes but it found nothing

Report •

Related Solutions

#4
June 11, 2015 at 08:04:23
OK can you run this little file too - it is quick to do and looks for quite different things:

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Again, paste the log if it finds anything please.

Always pop back and let us know the outcome - thanks


Report •

#5
June 11, 2015 at 15:55:17
Sorry for the delay I have just got up. Ran Adwcleaner log below

# AdwCleaner v3.101 - Report created 12/06/2015 at 08:48:14
# Updated 20/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian Halson - BRIANHALSON-PC
# Running from : C:\Users\Brian Halson\Desktop\Security\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Folder Found C:\AI_RecycleBin
Folder Found C:\Program Files (x86)\Toolbar Cleaner
Folder Found C:\ProgramData\Package Cache
Folder Found C:\Users\Brian Halson\AppData\LocalLow\adawaretb
Folder Found C:\Users\Brian Halson\AppData\Roaming\SecureSearch
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Found C:\Windows\SysWOW64\AI_RecycleBin

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKCU\Software\AppDataLow\Software\adawaretb
Key Found : HKCU\Software\Classes\pokki
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\Software\adawaretb
Key Found : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{baad6aa7-889d-4db4-8666-f71544310e82}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Found : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo
Key Found : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo.1
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner
Key Found : HKLM\Software\Toolbar Cleaner
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17840


-\\ Mozilla Firefox v38.0.5 (x86 en-US)

[ File : C:\Users\Brian Halson\AppData\Roaming\Mozilla\Firefox\Profiles\qaysjhks.default-1423976249486\prefs.js ]


-\\ Google Chrome v43.0.2357.124

[ File : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [13300 octets] - [21/04/2014 15:17:07]
AdwCleaner[R1].txt - [4171 octets] - [12/06/2015 08:48:14]
AdwCleaner[S0].txt - [13320 octets] - [21/04/2014 15:21:36]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [4292 octets] ##########


Report •

#6
June 11, 2015 at 16:48:07
Yes, it found and fixed a few things.

it would therefore be worth running this one too:
Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

Please copy/paste log as before and let me know if you are still getting the undelivered messages..

Always pop back and let us know the outcome - thanks


Report •

#7
June 11, 2015 at 16:49:48
Next step topbooka, more steps will be needed after this.

Run Junkware Removal Tool
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://thisisudax.org/
http://thisisudax.blogspot.com.au/2...
Download Junkware Removal Tool onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Warning! Once the scan is complete JRT will shut down your browser with NO warning.
Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan.
Click this link to see a list of security programs that should be disabled and how to disable them.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7/8, right-click JRT and select Run as Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved onto your Desktop and will automatically open.
Copy and Paste the contents of the JRT.txt log please.


Report •

#8
June 11, 2015 at 16:51:56
Opp's Derek, saw the post was about an hour old, thought you may not be around.

Report •

#9
June 11, 2015 at 16:55:58
topbooka, did you hit the AdwCleaner Clean button?

If so can we have the log please.

message edited by Johnw


Report •

#10
June 11, 2015 at 16:57:53
No matter, I've gotta go now anyhow (gas men tearing up the main and service pipes early tomorrow). Please carry on - Nite.

Always pop back and let us know the outcome - thanks


Report •

#11
June 11, 2015 at 17:26:42
Scan complete for JRT log below

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.1 (06.08.2015:1)
OS: Windows 7 Home Premium x64
Ran by Brian Halson on Fri 12/06/2015 at 10:17:41.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


~~~ Services

~~~ Tasks

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CLASSES_ROOT\CLSID\{3A2D5EBA-F86D-4BD3-A177-019765996711}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3A2D5EBA-F86D-4BD3-A177-019765996711}
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3A2D5EBA-F86D-4BD3-A177-019765996711}

~~~ Files

Successfully deleted: [File] C:\Windows\reimage.ini
Successfully deleted: [File] C:\Windows\system32\LavasoftTcpService64.dll
Successfully deleted: [File] C:\Windows\system32\LavasoftTcpServiceOff.ini
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpService.dll
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpService.ini
Successfully deleted: [File] C:\Windows\syswow64\LavasoftTcpServiceOff.ini
Successfully deleted: [File] C:\Users\Brian Halson\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage
Successfully deleted: [File] C:\Users\Brian Halson\appdata\local\google\chrome\user data\default\local storage\hxxp_st.chatango.com_0.localstorage-journal

~~~ Folders

Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{0FE5A262-4593-4B46-ACBE-CE1BF8680E20}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{18E00A1B-759A-4305-85C9-857A22C0D2BC}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{246BB934-69E8-4F5D-B450-18E7D2A74316}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{2E6FDAC2-7640-44C8-925C-515680FD6CA8}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{4ED9330C-9D2B-483E-9DDA-F48783632BFE}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{541A7EE6-E726-4DCB-A110-11C066BF285B}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{597C6705-4C36-49B4-AB5C-4312A57D23E5}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{71C9B01D-C8BD-487E-B877-6F280B549D8B}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{90AC93D8-9AC8-4E2D-8CEF-382DAFCF61D0}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{B041A4BC-6D8E-480A-A773-66DDB771F040}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{C302BB07-D6B1-483E-94DA-17693E20A646}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{C832CF3F-9475-4B30-A85F-218E5F97628E}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{DD54A7D0-FBE1-416E-9D00-4B427DB3E7EC}
Successfully deleted: [Empty Folder] C:\Users\Brian Halson\appdata\local\{F5998EFF-7693-4AFC-9F62-008770DAA4B3}
Successfully deleted: [Folder] C:\Users\Brian Halson\AppData\Roaming\getprivate
Successfully deleted: [Folder] C:\Users\Brian Halson\AppData\Roaming\getrighttogo
Successfully deleted: [Folder] C:\ProgramData\4899dd140d5f13cc

~~~ FireFox


~~~ Chrome

Successfully deleted: [Folder] C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj

[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Brian Halson\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[
jbolfgndggfhhpbnkgnpjkfhinclbigj
]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/06/2015 at 10:23:24.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Report •

#12
June 11, 2015 at 17:31:09
"Sorry for the delay I have just got up"
Me too, I'm here.
http://www.timeanddate.com/worldclo...

Just waiting on the log from my post #9

EDIT. Note: AdwCleaner has a Clean button, not Delete.

message edited by Johnw


Report •

#13
June 11, 2015 at 17:41:39
Morning Johnw
Log is at post #5

Report •

#14
June 11, 2015 at 17:45:56
"Log is at post #5"
Yep, but that only shows what it found.

Need the log showing what it deleted after hitting the Clean button.

message edited by Johnw


Report •

#15
June 11, 2015 at 18:02:32
Sorry but I can not find this log can only find what is in quarantine

Report •

#16
June 11, 2015 at 18:09:05
You can find the logfile at C:\AdwCleaner[S1].txt

Report •

#17
June 11, 2015 at 18:24:13
thank found it

# AdwCleaner v3.101 - Report created 12/06/2015 at 09:59:06
# Updated 20/04/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Brian Halson - BRIANHALSON-PC
# Running from : C:\Users\Brian Halson\Desktop\Security\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\AI_RecycleBin
Folder Deleted : C:\ProgramData\Package Cache
Folder Deleted : C:\Program Files (x86)\Toolbar Cleaner
Folder Deleted : C:\Windows\SysWOW64\AI_RecycleBin
Folder Deleted : C:\Users\BRIANH~1\AppData\Local\Temp\AI_RecycleBin
Folder Deleted : C:\Users\Brian Halson\AppData\LocalLow\adawaretb
Folder Deleted : C:\Users\Brian Halson\AppData\Roaming\SecureSearch
Folder Deleted : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jbolfgndggfhhpbnkgnpjkfhinclbigj
Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo
Key Deleted : HKLM\SOFTWARE\classes\FMMediaFormats.FormatCodecVideo.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{baad6aa7-889d-4db4-8666-f71544310e82}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{00000001-4FEF-40D3-B3FA-E0531B897F98}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{64697678-0000-0010-8000-00AA00389B71}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{F6E8FC04-8B05-48B1-9399-848229502A06}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C97A91E-4524-4019-86AF-2AA2D567BF5C}
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
Value Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{6C97A91E-4524-4019-86AF-2AA2D567BF5C}]
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKCU\Software\AppDataLow\Software\adawaretb
Key Deleted : HKLM\Software\adawaretb
Key Deleted : HKLM\Software\Toolbar Cleaner
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Toolbar Cleaner

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17840


-\\ Mozilla Firefox v38.0.5 (x86 en-US)

[ File : C:\Users\Brian Halson\AppData\Roaming\Mozilla\Firefox\Profiles\qaysjhks.default-1423976249486\prefs.js ]


-\\ Google Chrome v43.0.2357.124

[ File : C:\Users\Brian Halson\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [13300 octets] - [21/04/2014 15:17:07]
AdwCleaner[R1].txt - [4400 octets] - [12/06/2015 08:48:14]
AdwCleaner[S0].txt - [13320 octets] - [21/04/2014 15:21:36]
AdwCleaner[S1].txt - [4123 octets] - [12/06/2015 09:59:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [4183 octets] ##########


Report •

#18
June 11, 2015 at 18:26:52
Next step.

Download ComboFix onto your Desktop & then run. If your default download location is not the Desktop, drag it out of it's location onto the Desktop. Copy & Paste the contents of the log in your next post please. ComboFix's log should be located at C:\COMBOFIX.TXT.
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...
A guide and tutorial on using ComboFix
http://www.bleepingcomputer.com/com...
http://www.winhelp.us/index.php/gen...
Manually restoring the Internet connection
http://www.bleepingcomputer.com/com...
There are circumstances ComboFix will hang, crash or stall at various stages due to malware interference, failure to disable other real-time protection tools or the presence of CD Emulators (Daemon Tools, Alchohol 120%, Astroburn, AnyDVD) so that it does not complete successfully. Also, depending on how badly a system is infected, ComboFix may take longer to complete its routine than it normally does or fail to run properly. While that is not normal behavior, it is not unusual"
If you think it's frozen, look at the computer clock.
If it's running, Combofix is still working.
NOTE: Do not mouseclick combofix's window while it is running. That may cause it to stall.
NOTE: ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
**Please Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes.
If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.
Can't Install an Antivirus - Windows Security Center still detects previous AV
http://www.experts-exchange.com/Vir...
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
Once these two steps have been completed, double-click on the ComboFix icon found on your Desktop.
Please Note: Once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.


Report •

#19
June 11, 2015 at 19:42:28
combofix scan complete link below

http://www9.zippyshare.com/v/bmGLHw...


Report •

#20
June 11, 2015 at 20:04:36
Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif

Report •

#21
June 11, 2015 at 20:54:07
frst complete links to logs below

http://www36.zippyshare.com/v/cq6Sp...
http://www36.zippyshare.com/v/jJ6Zi...


Report •

#22
June 11, 2015 at 21:03:05
Give me about 15mins to do the first step in analyzing.

Report •

#23
June 11, 2015 at 21:06:33
ok thanks I will be standing by

Report •

#24
June 11, 2015 at 21:13:20
✔ Best Answer
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE:It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:4116B5AB
AlternateDataStreams: C:\ProgramData\Temp:56E2E879
AlternateDataStreams: C:\ProgramData\Temp:FB1B13D8
HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-279346440-3864694767-3748385609-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/search?q={searc...
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://www.google.com/search?source...
SearchScopes: HKU\S-1-5-21-279346440-3864694767-3748385609-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
FF Homepage: hxxp://media.telstra.com.au/home.html
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\BRIANH~1\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
S3 motandroidusb; System32\Drivers\motoandroid.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
S3 zgwhsdiag; system32\DRIVERS\zgwhsdiag.sys [X]
S3 zgwhsnmea; system32\DRIVERS\zgwhsnmea.sys [X]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#25
June 11, 2015 at 21:21:06
Do I have to run fix in farbar before I do this

Report •

#26
June 11, 2015 at 21:27:36
Depending on the outcome of the scans, there may be another explanation. If your email address is in someone else's address book the problem may be on their computer instead of yours. Malware on their computer may be using their address book to spoof messages. You would be notified of any message that was undeliverable since the email server would think you were the sender. That happened to me several years ago and there wasn't anything I could do as I had no idea where they were originating.

Report •

#27
June 11, 2015 at 21:33:12
"Do I have to run fix in farbar before I do this"
I don't think you have scrolled down to the bottom of my post.

Report •

#28
June 11, 2015 at 21:59:05
Here is the fix log

http://www22.zippyshare.com/v/PB4rE...


Report •

#29
June 11, 2015 at 22:06:13
I will be out for a few hours, let me know how your issues are going.

Report •

Ask Question