Solved System Virus? need some help

January 7, 2016 at 11:41:37
Specs: Windows 7 home, Intel Pent., cpu g630, 4.00 GB, 64 bit
While on my other computer, running AOL and on Facebook, I received a box on the screen titled JavaScript - www.system-error.net

Windows has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location.

Then it says it found 36 threats. And my personal and financial information might be at risk and to call a 1-866 number for security check. do not try to remove the virus manually.

My other computer is Win 7 Home, relatively new. I just ran AVG free and it found nothing. I can't click out of anything on the screen and can't close out of anything on the screen. or shut it down the conventional way.

Need some advice please.


See More: System Virus? need some help

Report •

✔ Best Answer
January 8, 2016 at 14:26:19
"hope this is right"
Yep, we are getting there.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://optimum.net/
SearchScopes: HKLM-x32 -> {FCD0B440-9668-4F0C-A3B9-F057CE450973} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
FF Keyword.URL: hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF Extension: AOL Toolbar - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xhdl6odd.default-1408823845695\Extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1} [2016-01-02] [not signed]
FF HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\...\Firefox\Extensions: [ninjaloader@mail.com] - C:\Program Files (x86)\Ninja Loader\FireFox => not found
S3 InnovativeSolutions_monitor; C:\Program Files (x86)\Common Files\Innovative Solutions\Advanced Uninstaller\InnovativeSolutions_monitor_Svr.exe [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 NinjaLoaderService; no ImagePath
S2 TuneUp.UtilitiesSvc; no ImagePath
S3 TuneUpUtilitiesDrv; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
Task: {F4AACBBA-9B0E-47E6-9178-3BFFEE072D70} - \Uninstaller_SkipUac_Administrator -> No File <==== ATTENTION

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.



#1
January 7, 2016 at 12:07:44
It's a scam. You most likely picked up some sort of malware or ransomware. Try the freebie version of Malwarebytes.

https://www.malwarebytes.org/

message edited by riider


Report •

#2
January 7, 2016 at 12:11:49
Yeah, I thot so too. running malwarebytes now, 490,000 objects scanned, nothing found.

Report •

#3
January 7, 2016 at 12:19:53
it is just about done, with nothing found. Is it ok to turn off comp by holding start button in? then what do i do. thank you

Report •

Related Solutions

#4
January 7, 2016 at 14:30:37
Hi again Warren.

Run RogueKiller
http://www.softpedia.com/get/Securi...
http://majorgeeks.com/RogueKiller_d...
http://www.freewarefiles.com/RogueK...
http://www.freewarefiles.com/screen...
http://www.geekstogo.com/forum/file...
http://tigzy.geekstogo.com/roguekil...
http://www.sur-la-toile.com/RogueKi...
User Guide
http://www.adlice.com/softwares/rog...
Official tutorial
http://www.adlice.com/software/rogu...
http://i.imgur.com/H2NiBMO.gif
http://i.imgur.com/0zpERom.gif
http://i.imgur.com/ncmto2Y.gif
FAQ
http://www.adlice.com/software/rogu...
How to Temporarily Disable your Anti-virus
http://www.bleepingcomputer.com/for...
http://www.techsupportforum.com/for...
If RogueKiller won't run, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...
http://www.askvg.com/how-to-disable...
Download & SAVE to your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
Quit all programs that you may have started.
Shutdown your antivirus to avoid any conflicts.
Please disconnect any USB or external drives from the computer before you run this scan!
For Vista or Windows 7/8, right-click and select "Run as Administrator to start"

For Windows XP, double-click to start.
Wait until Prescan has finished ...
Then Click on "Scan" button
Wait until the Status box shows "Scan Finished"
Anything that is not checked, leave it unchecked.
Click on "Delete"
Wait until the Status box shows "Deleting Finished"
Click on "Report" and Copy & Paste the content of the Notepad into your next reply.
The log should be found in RKreport[1].txt on your Desktop.
Exit/Close RogueKiller.
When completed, make sure to re-enable your antivirus.


Report •

#5
January 7, 2016 at 14:46:10
hi again Johnw

got a good one this time. I called that number and they wanted me to buy a one year license for 99.99. i said no.

am running rogue killer now

only thing is, i don't have a clean desktop as the aol screen is on and so is the notice of action required. they won't disappear. but rogue killer is running


Report •

#6
January 7, 2016 at 14:57:43
" they won't disappear. but rogue killer is running"
As usual Warren, this is just a starting point, there will be more steps.

Report •

#7
January 7, 2016 at 17:19:04
Johnw:

I ran rogue killer and all is well!! I was so happy that I clicked on restart instead of Report and lost the report so I ran it again and I guess it repeated itself as it is very full. If you want me to send the results to you, please send me the software that allows sending large files


Report •

#8
January 7, 2016 at 17:29:49
Johnw: Never mind, i found it

Report •

#9
January 7, 2016 at 17:35:27

Report •

#10
January 7, 2016 at 17:50:03
"here is the file"
You have sent an old FRST file Warren.

Report •

#11
January 7, 2016 at 18:32:03
sorry about that.

rk_2DC6.tmp.txt (20 KB) - 100%


Report •

#12
January 7, 2016 at 18:41:13
"rk_2DC6.tmp.txt (20 KB) - 100%"
That is not a log Warren.

Report •

#13
January 7, 2016 at 18:54:05
"sorry about that"
I just ran RogueKiller to see what you are doing.

""rk_2DC6.tmp.txt (20 KB) - 100%"
Either doubleclick the file to open it, then copy & paste the contents in your reply.

Or, upload the file.


Report •

#14
January 7, 2016 at 19:04:16
gueKiller V11.0.6.0 [Jan 4 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/rogu...
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : user [Administrator]
Started from : C:\Users\user\Downloads\RogueKiller.exe
Mode : Delete -- Date : 01/07/2016 21:29:08

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 12 ¤¤¤
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\AOL Toolbar -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\AOL Toolbar -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Innovative Solutions -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Viewpoint -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10921475-03CE-4E04-90CE-E2E7EF20C814} (C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll) -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ef64538-8b54-4573-b48f-4d34b0238ab2} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ef64538-8b54-4573-b48f-4d34b0238ab2} -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} -> Not selected
[PUP] (X64) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {ba00b7b1-0351-477a-b948-23e3ee5a73d4} : AOL Toolbar [x] -> Not selected
[PUP] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {ba00b7b1-0351-477a-b948-23e3ee5a73d4} : AOL Toolbar [x] -> Not selected
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://optimum.net/ -> Not selected
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://optimum.net/ -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\Program Files (x86)\Viewpoint -> Removed at reboot [91]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll -> Removed at reboot [5]
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll -> Deleted
[PUP][Folder] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\Components -> Removed at reboot [91]
[PUP][Folder] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\DownloadedComponents -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe -> Deleted
[PUP][Folder] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\NewComponents -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll -> Deleted
[PUP][File] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt -> Deleted
[PUP][Folder] C:\Program Files (x86)\Viewpoint\Viewpoint Experience Technology -> Removed at reboot [91]

¤¤¤ Hosts File : 36 ¤¤¤
[C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 0.0.0.0 # fix for traceroute and netstat display anomaly
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com.s3.amazonaws.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 media.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 tracking.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.opencandy.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 api.recommendedsw.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.betterinstaller.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 installer.filebulldog.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 d3oxtn1x3b8d7i.cloudfront.net
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 inno.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 nsis.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.file2desktop.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.goateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.guttastatdk.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.inskinmedia.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.oibundles2.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.insta.playbryte.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.llogetfastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.montiera.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.msdwnld.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.mypcbackup.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.ppdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.riceateastcach.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.shyapotato.us
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.solimba.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.tuto4pc.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.appround.biz
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bigspeedpro.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bispd.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.bisrv.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.cdndp.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.download.sweetpacks.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.dpdownload.com
[C:\Windows\System32\drivers\etc\hosts] 0.0.0.0 cdn.visualbee.net

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUP][FIREFX:Addon] xhdl6odd.default-1408823845695 : Advanced SystemCare Surfing Protection [ascsurfingprotection@iobit.com] -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500DM002-1BD142 +++++
--- User ---
[MBR] 924826ac3437bf7b744da4fb927e1ca9
[BSP] be26b01df814f3e42470ca09652e5698 : Empty|VT.Unknown MBR Code
Partition table:
0 - [MAN-MOUNT] EFI system partition | Offset (sectors): 2048 | Size: 100 MB
1 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 206848 | Size: 128 MB
2 - Basic data partition | Offset (sectors): 468992 | Size: 465360 MB
3 - Basic data partition | Offset (sectors): 953526272 | Size: 11351 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD-Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )


Report •

#15
January 7, 2016 at 19:10:15
Ok, next step, really make sure this is run from the Desktop. not downloads.

If you don't know how to drag it out of downloads onto the Desktop, Copy & Paste it onto the Desktop.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#16
Report •

#17
Report •

#18
January 7, 2016 at 20:00:54
You have sent FRST64.exe twice.

Need as requested 2 log files.


Report •

#19
January 8, 2016 at 11:24:07
Sorry. I guess I am getting too old (77) to do this stuff. hope this is right.

http://www22.zippyshare.com/v/VUDAH...

http://www33.zippyshare.com/v/fLYi2...


Report •

#20
January 8, 2016 at 14:26:19
✔ Best Answer
"hope this is right"
Yep, we are getting there.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://optimum.net/
SearchScopes: HKLM-x32 -> {FCD0B440-9668-4F0C-A3B9-F057CE450973} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
FF Keyword.URL: hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF Extension: AOL Toolbar - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xhdl6odd.default-1408823845695\Extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1} [2016-01-02] [not signed]
FF HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\...\Firefox\Extensions: [ninjaloader@mail.com] - C:\Program Files (x86)\Ninja Loader\FireFox => not found
S3 InnovativeSolutions_monitor; C:\Program Files (x86)\Common Files\Innovative Solutions\Advanced Uninstaller\InnovativeSolutions_monitor_Svr.exe [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 NinjaLoaderService; no ImagePath
S2 TuneUp.UtilitiesSvc; no ImagePath
S3 TuneUpUtilitiesDrv; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
Task: {F4AACBBA-9B0E-47E6-9178-3BFFEE072D70} - \Uninstaller_SkipUac_Administrator -> No File <==== ATTENTION

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#21
January 8, 2016 at 19:21:21
Fix result of Farbar Recovery Scan Tool (x64) Version:07-01-2015
Ran by user (2016-01-08 22:12:10) Run:1
Running from C:\Users\user\Desktop
Loaded Profiles: user (Available Profiles: user & Arleen)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
GroupPolicy: Restriction - Chrome <======= ATTENTION
GroupPolicyScripts: Restriction <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://optimum.net/
SearchScopes: HKLM-x32 -> {FCD0B440-9668-4F0C-A3B9-F057CE450973} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> DefaultScope {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
SearchScopes: HKU\S-1-5-21-2277337054-3082054672-1405126948-1000 -> {F463C197-90EE-448D-83A4-474AECACDBAD} URL = hxxp://search.aol.com/aol/search?q={searchTerms}&s_it=clireset-ie
FF Keyword.URL: hxxp://aolsearch.aol.com/aol/search?invocationType=client_searchbox&query=
FF Extension: AOL Toolbar - C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xhdl6odd.default-1408823845695\Extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1} [2016-01-02] [not signed]
FF HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\...\Firefox\Extensions: [ninjaloader@mail.com] - C:\Program Files (x86)\Ninja Loader\FireFox => not found
S3 InnovativeSolutions_monitor; C:\Program Files (x86)\Common Files\Innovative Solutions\Advanced Uninstaller\InnovativeSolutions_monitor_Svr.exe [X]
S3 MozillaMaintenance; "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" [X]
S2 NinjaLoaderService; no ImagePath
S2 TuneUp.UtilitiesSvc; no ImagePath
S3 TuneUpUtilitiesDrv; no ImagePath
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cpuz134; \??\C:\Users\user\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION
Task: {F4AACBBA-9B0E-47E6-9178-3BFFEE072D70} - \Uninstaller_SkipUac_Administrator -> No File <==== ATTENTION

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


*****************

Restore point was successfully created.
Processes closed successfully.
C:\windows\system32\GroupPolicy\Machine => moved successfully
C:\windows\system32\GroupPolicy\GPT.ini => moved successfully
"C:\windows\system32\GroupPolicy\Machine" => not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Search Page => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page => value removed successfully
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{FCD0B440-9668-4F0C-A3B9-F057CE450973}" => key removed successfully
HKCR\Wow6432Node\CLSID\{FCD0B440-9668-4F0C-A3B9-F057CE450973} => key not found.
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{F463C197-90EE-448D-83A4-474AECACDBAD}" => key removed successfully
HKCR\CLSID\{F463C197-90EE-448D-83A4-474AECACDBAD} => key not found.
Firefox "Keyword.URL" removed successfully
C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\xhdl6odd.default-1408823845695\Extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1} => moved successfully
HKU\S-1-5-21-2277337054-3082054672-1405126948-1000\Software\Mozilla\Firefox\Extensions\\ninjaloader@mail.com => value removed successfully
InnovativeSolutions_monitor => service removed successfully
MozillaMaintenance => service removed successfully
NinjaLoaderService => service removed successfully
TuneUp.UtilitiesSvc => service removed successfully
TuneUpUtilitiesDrv => service removed successfully
catchme => service removed successfully
cpuz134 => service removed successfully
Download Updater (AOL Inc.) (HKLM-x32\...\SoftwareUpdUtility) (Version: - AOL Inc.) <==== ATTENTION => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{F4AACBBA-9B0E-47E6-9178-3BFFEE072D70}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4AACBBA-9B0E-47E6-9178-3BFFEE072D70}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Uninstaller_SkipUac_Administrator" => key removed successfully
Open FRST/FRST64 and press the Fix button just once and wait. => Error: No automatic fix found for this entry.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run. => Error: No automatic fix found for this entry.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply. => Error: No automatic fix found for this entry.
EmptyTemp: => 348.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 22:12:56 ====


Report •

#22
January 8, 2016 at 19:56:28
Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)

Report •

#23
January 8, 2016 at 20:17:31
lFix v1.011 - Logfile created 08/01/2016 at 23:16:42
# Updated 18/08/2015 by Xplode
# Username : user - USER-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\RegBackup
Deleted : C:\ComboFix.txt
Deleted : C:\Users\user\Desktop\Addition.txt
Deleted : C:\Users\user\Desktop\Fixlog.txt
Deleted : C:\Users\user\Desktop\frst.txt
Deleted : C:\Users\user\Desktop\FRST64.exe
Deleted : C:\Users\user\Downloads\Addition.txt
Deleted : C:\Users\user\Downloads\AdwCleaner (1).exe
Deleted : C:\Users\user\Downloads\AdwCleaner (2).exe
Deleted : C:\Users\user\Downloads\AdwCleaner (3).exe
Deleted : C:\Users\user\Downloads\AdwCleaner (4).exe
Deleted : C:\Users\user\Downloads\AdwCleaner (5).exe
Deleted : C:\Users\user\Downloads\AdwCleaner.exe
Deleted : C:\Users\user\Downloads\ComboFix(2).exe
Deleted : C:\Users\user\Downloads\ComboFix.exe
Deleted : C:\Users\user\Downloads\esetsmartinstaller_enu (1).exe
Deleted : C:\Users\user\Downloads\esetsmartinstaller_enu (2).exe
Deleted : C:\Users\user\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\user\Downloads\JRT (1).exe
Deleted : C:\Users\user\Downloads\JRT (2).exe
Deleted : C:\Users\user\Downloads\JRT (3).exe
Deleted : C:\Users\user\Downloads\JRT.exe
Deleted : C:\Users\user\Downloads\RogueKiller (1).exe
Deleted : C:\Users\user\Downloads\RogueKiller (2).exe
Deleted : C:\Users\user\Downloads\RogueKiller (3).exe
Deleted : C:\Users\user\Downloads\RogueKiller (4).exe
Deleted : C:\Users\user\Downloads\RogueKiller (5).exe
Deleted : C:\Users\user\Downloads\RogueKiller (6).exe
Deleted : C:\Users\user\Downloads\RogueKiller (7).exe
Deleted : C:\Users\user\Downloads\RogueKiller (8).exe
Deleted : C:\Users\user\Downloads\RogueKiller.exe
Deleted : C:\windows\grep.exe
Deleted : C:\windows\PEV.exe
Deleted : C:\windows\NIRCMD.exe
Deleted : C:\windows\MBR.exe
Deleted : C:\windows\SED.exe
Deleted : C:\windows\SWREG.exe
Deleted : C:\windows\SWSC.exe
Deleted : C:\windows\SWXCACLS.exe
Deleted : C:\windows\Zip.exe
Deleted : HKLM\SOFTWARE\AdwCleaner
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

########## - EOF - ##########


Report •

#24
January 8, 2016 at 21:01:09
Ok, finished, let me know if you have any more issues.

Report •

#25
January 9, 2016 at 06:27:59
thanks John. you are the best.

Warren


Report •

Ask Question