Solved Infected after installing a bogus adblocker; can't run DDS (Step 3)

1. Yes. You'd use "add exclusion" if MBAM wanted to quarantine some file you know is good.

2. Let's run quick fix with FRST.

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST(FRST64) and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
 

Attachments

  • fixlist.txt
    301 bytes · Views: 1
I didn't realize it but MBAM was still open and showing me a list of things it found, but somehow that crashed and I ended up deciding to terminate it.

I figure there's no harm if I just show you its latest log before proceeding with FRST, as long as I don't yet tell MBAM to do anything, right? Here's MBAM's latest log. Please let me know which of the two following things I should do first: A. click in MBAM on "Apply Actions" (note: right now the default for everything it found is "Ignore Once." Should I change it to "Quarantine?") or B. do nothing with MBAM and just proceed to FRST?

Thanks.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/16/2014
Scan Time: 1:54:59 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.16.04
Rootkit Database: v2014.12.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: David

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 410170
Time Elapsed: 6 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Warn

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.WebGuard.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WebGuard, , [839ab4afe597171f2d572fa432cfbe42],
PUP.Optional.SearchProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}, , [0a13352e1666fe38ba7fce0047bd0bf5],
PUP.Optional.SearchProtect, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}, , [1607e57e2656e3539d9b2ea039cb7b85],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.WebGuard.A, C:\Users\David\AppData\Local\WebGuard, , [68b5f0734438ee48b2a12638f60d53ad],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer, , [54c9382bf488f24437287e0821e2d729],

Files: 12
PUP.Optional.WebGuard.A, C:\ProgramData\cINFpU\dat\dVzZUYtqv.exe, , [c35a224192eafd394c380fc4fe03d927],
PUP.Optional.WebGuard.A, C:\ProgramData\WebGuard\uninstall.exe, , [839ab4afe597171f2d572fa432cfbe42],
PUP.Optional.WebGuard.A, C:\Users\David\AppData\Local\WebGuard\data2.dat, , [68b5f0734438ee48b2a12638f60d53ad],
PUP.Optional.CalcIt.A, C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_websearch.calcitapp.info_0.localstorage, , [24f933300973a78fbd6cf57bff048c74],
PUP.Optional.CalcIt.A, C:\Users\David\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_websearch.calcitapp.info_0.localstorage-journal, , [0a13b9aa631903330227eb85b54e34cc],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\ContentExplorer.exe, , [d845b2b1c2bab4820955f98d857eef11],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\RootCert.cer, , [54c9382bf488f24437287e0821e2d729],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\loader.dat, , [54c9382bf488f24437287e0821e2d729],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\makecert.exe, , [54c9382bf488f24437287e0821e2d729],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\storage.bin, , [54c9382bf488f24437287e0821e2d729],
PUP.Optional.ContentExplorer.A, C:\Users\David\AppData\Roaming\ContentExplorer\uninstall.exe, , [54c9382bf488f24437287e0821e2d729],
PUP.Optional.SearchProtect, C:\Windows\apppatch\Custom\Custom64\{cf2797aa-b7ec-e311-8ed9-005056c00008}.sdb, , [d845c3a0a1dbe94ddb61ce0084809868],

Physical Sectors: 0
(No malicious items detected)


(end)
 
Last edited:
Ok, I did. And now I've run FRST:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 14-12-2014 01
Ran by David at 2014-12-16 16:19:11 Run:2
Running from C:\Users\David\Desktop
Loaded Profile: David (Available profiles: David & William & Minhee)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
(Macrovision Corporation) C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
HKU\S-1-5-21-877737628-3122474596-3873684844-1001\...\Run: [ISUSPM] => C:\ProgramData\Macrovision\FLEXnet Connect

\6\ISUSPM.exe [226904 2007-07-12] (Macrovision Corporation)
C:\ProgramData\Macrovision\FLEXnet Connect

*****************

[4676] C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe => Process closed successfully.
HKU\S-1-5-21-877737628-3122474596-3873684844-1001\Software\Microsoft\Windows\CurrentVersion\Run\\ISUSPM => value

deleted successfully.

"C:\ProgramData\Macrovision\FLEXnet Connect" directory move:

C:\ProgramData\Macrovision\FLEXnet Connect\6\agent.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\dwusplay.dll => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\dwusplay.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISDM.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\issch.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\isusweb.dll => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\_ispmres.dll => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\_isusres.dll => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\about.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\authFailed.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\avlupdates.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\checkfor.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\checking.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\getall.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\help.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\history.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\InstallInstr.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\notconnected.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\security.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\settings.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\toaster.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\ToasterStyle.css => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\toaster_multiple.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\um.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\umbcpc.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\updatecomplete.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\UpdaterStyle.css => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\updates.htm => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\resource.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1026.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1027.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1028.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1029.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1030.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1031.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1032.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1033.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1034.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1035.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1036.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1038.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1040.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1041.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1042.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1043.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1044.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1045.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1046.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1048.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1049.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1050.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1051.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1053.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1054.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1055.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1057.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1060.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings1069.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings2052.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings2070.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings2074.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\lang\strings3084.js => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\content_background.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\content_back_alert.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\content_back_standard.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\content_back_update.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\critical_icon.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\d.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\dotted_line_218.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\empty_progress.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\header_background.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\help_logo.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_about.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_archive.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_close.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_help.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_instructions.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_settings.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_shield.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_update.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_update_checking.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_view.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\icon_web.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\important_icon.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\install_button.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\list_header_back.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\logo.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\minor_icon.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\round_submit_button.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\sec_nav_back.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\separator.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\Thumbs.db => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\top_background.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\top_nav_back.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\u.gif => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\6\ui\images\update_header.jpg => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\11\agent.exe => Moved successfully.
C:\ProgramData\Macrovision\FLEXnet Connect\11\_isusres.dll => Moved successfully.
Could not move "C:\ProgramData\Macrovision\FLEXnet Connect" directory. => Scheduled to move on reboot.


=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-12-16 16:20:13)<=

C:\ProgramData\Macrovision\FLEXnet Connect => Is moved successfully.

==== End of Fixlog ====
 
Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Download Sophos Free Virus Removal Tool and save it to your desktop.
  • Double click the icon and select Run
  • Click Next
  • Select I accept the terms in this license agreement, then click Next twice
  • Click Install
  • Click Finish to launch the program
  • Once the virus database has been updated click Start Scanning
  • If any threats are found click Details, then View log file... (bottom left hand corner)
  • Copy and paste the results in your reply
  • Close the Notepad document, close the Threat Details screen, then click Start cleanup
  • Click Exit to close the program
 
Results of screen317's Security Check version 0.99.93
x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Windows Defender
avast! Antivirus
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 7 Update 67
Java 8 Update 25
Java version 32-bit out of Date!
Adobe Flash Player 16.0.0.235
Adobe Reader XI
Mozilla Firefox (34.0.5)
Google Chrome (39.0.2171.71)
Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent````````
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbam.exe
Malwarebytes Anti-Malware mbamscheduler.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastui.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
 
Farbar Service Scanner Version: 21-07-2014
Ran by David (administrator) on 16-12-2014 at 20:49:58
Running from "C:\Users\David\Desktop"
Microsoft Windows 8.1 (X64)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.

Windows Firewall:
=============
Firewall Disabled Policy:
==================

System Restore:
============
System Restore Disabled Policy:
========================

Action Center:
============

Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Demand. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.

Windows Autoupdate Disabled Policy:
============================

Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend: ""%ProgramFiles%\Windows Defender\MsMpEng.exe"".

Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1

Other Services:
==============

File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\dhcpcore.dll => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MsMpEng.exe => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed

**** End of log ****
 
Your computer is clean

1. This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download
51a5ce45263de-delfix.png
DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:
  • Activate UAC (optional; some users prefer to keep it off)
  • Remove disinfection tools
  • Create registry backup
  • Purge System Restore
  • Reset system settings
Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.

2. Make sure Windows Updates are current.

3. If any trojans, rootkits or bootkits were listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

4. Check if your browser plugins are up to date.
Firefox - https://www.mozilla.org/en-US/plugincheck/
other browsers: https://browsercheck.qualys.com/ (click on "Scan without installing plugin" and then on "Scan now")

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC), AdwCleaner and Junkware Removal Tool (JRT) weekly (you need to redownload these tools since they were removed by DelFix).

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

11. Read:
How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html
Simple and easy ways to keep your computer safe and secure on the Internet: http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
About those Toolbars and Add-ons - Potentially Unwanted Programs (PUPs) which change your browser settings: http://www.bleepingcomputer.com/for...curity-questions-best-practices/#entry3187642

12. Please, let me know, how your computer is doing.
 
All seems pretty good, thank you very much. A few weird things remain:

1. for some reason Internet Explorer only looks normal if I zoom in to about 225% (and then it looks like what 100% should look like).

2. Two of my three browsers (IE and Chrome) are still set to load to suspicious looking pages when I launch. I know how to change those settings, but I feel like pointing it out because, based on previous times I've come here for cleanings, I expected that all such stuff would have been wiped out. Maybe the cleaning apps we used are now fine-tuned instruments that don't change what they don't need to, and I'm not worried if you're not, and again, I know how to change my home pages, but in case it's useful, here are the pages that load: IE wants to go to "thanksforthedownload[dot]com" and Chrome wants to go to "trovi[dot]com" and "websearch[dot]calcitapp[dot]info," both of which started appearing as soon as I got infected.

Any thoughts? Otherwise I'm very pleased that my machine now seems "un-possessed!" Thank you!
 
redtarget.gif
Reset Internet Explorer.
Download MIcrosoft FixIt file from here: http://go.microsoft.com/?linkid=9646978
You can use ANY browser to download "FixIt" file.
Double click on downloaded MicrosoftFixit50195.msi file to run the fix.
Make sure you follow ALL steps listed there.

redtarget.gif

Reset Chrome...
Click on "Customize and control Google Chrome":
p22003758.gif

Click "Settings" then "Show advanced settings" at the bottom of the screen.
Click "Reset browser settings" button.
Restart Chrome.

If the above didn't help....

Reinstall Chrome...
If you want to save your bookmarks...
How to Backup Bookmarks in Google Chrome
If you want to save your passwords as well see here: http://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/
  • Close all Chrome windows and tabs.
  • Go to the Start menu > Control Panel. (Windows 8 users: Learn how to access the Control Panel)
  • Click Programs and Features.
  • Double-click Google Chrome.
  • Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, by selecting the "Also delete your browsing data" checkbox.
Install fresh copy.
 
Before I can do any of that, I have to report that now my computer won't connect to my wireless router at all. I don't have a cable to connect directly to my modem so I can't test that. My list of availabe wireless networks which is usually long is empty and says "no connections are available." And "Windows Network Diagnostics" fails to reveal anything at all. My Bluetooth mouse does work, in case that narrows anything down. Last thing I did with the machine was close it, which puts it to sleep.
 
Okay the guy at my local repair shop disabled the networking (maybe wireless?) hardware and then re-enabled it and that seems to have worked. (He didn't charge me, thankfully!) But before I do the next steps you posted above, let me just mention one other thing that was happening: a couple times when I tried to launch some native windows app (calculator and some other thing (I forget)), I got a message like "cannot launch this application while File Explorer is running with administrative privileges." After a restart, that problem went away, but I thought I should tell you.
 
When the above happens....

1. Press Ctrl + Shift + Esc. This opens the task manager.

2. Scroll down and right-click on Windows Explorer.

3. Click on Restart.
 
You must log in or register to reply here.

Similar threads

losdavos
Solved Installed a new app carelessly, now Chrome keeps crashing. Windows 10 machine.
Replies
22
Views
5K
Broni
Broni
A
Solved Yahoo redirect and maybe other problems
2
Replies
31
Views
6K
Broni
Broni
learninmypc
Solved Friends Win 8 laptop infected
2
Replies
29
Views
6K
Broni
Broni

Latest posts

Back