8 steps completed logs attached

[Rollsroyce]

I have been through your 8 steps to remove things from my sons computer. The links in web pages open random ads and not the links they should be opening.

I attach the 3 logs, if anyone can help me further I would be very grateful.

 

[Broni]

Malwarebytes log is missing.

 

[Bobbye]

Welcome to TechSpot, Rollsroyce. I'll help with the malware. While I finish checking these logs, please do the following:

Please download ComboFix from HEREand save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2]. Close any open browsers.
  [3]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [4]. If Combofix asks you to install Recovery Console, please allow it.
  [5]. If Combofix asks you to update the program, always allow.
  [6]. Close any open browsers and Double click on combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
  

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix.[/list].
==================================
Folder, Download and Scan with HijackThis:
STEPS For Creating Folder

1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
2. Download HijackThis HERE to the new folder
3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
4. Close ALL windows except HJT
5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
6. PASTE the log into your next reply using Ctrl-V to 'paste'.

Please make sure you post the entire log including the top portion:
=========================
Please do not run any other cleaning program or scans while I am helping you, unless I instruct you to. Do Not use a Registry cleaner or make any changes in the Registry.

 

[Bobbye]

Whoops! Didn't see your post Broni while I was putting mine together.

Rolls, please run Malwarebytes per our steps and then proceed with the Combofix and HijackThis. One of us will work with you.

 

[Rollsroyce]

8 steps completed further logs attached

Thank you for helping me, sorry for the delay, I have attached my 'combofix' and 'Hijack this' logs.

Any help you can give me would be great.

Regards

 

[Bobbye]

Thank you. IT appears that his searches are bring directed to a site in the Ukraine. If you had run Malwarebytes, it likely would have shows up as a DNS Changer malware infection. Please print out and follow these instructions:

1. Run Malwarebytes first that was the log you omitted: See Step 4 HERE

2.You will need to do a DNS Flush, then reset your router.
Start> Run> type cmd> enter> at the C prompt type ipconfig /flushdns (note space before the /)

Exit the Command prompt when finished and shut the system down.-

• 
  [1]. Shut down your computer, and any other computer connected to your router.
  [2]. On the back of the router, there should be a small hole or button labelled RESET. Using a bent paper clip or similar item, hold that in continuously for twenty seconds.
  [3]. Unplug the router. Wait sixty seconds.
  [4].Now holding again the reset button, plug it back in. Continue holding the reset button for twenty seconds. Unplug the router again.
  [5].With the router unplugged, start your computer. Run MBAM again.
  [6].Connect to the router again. The turn the router back on.
  [7].When it stabilizes, reboot your workstation and try to access the internet. If you have any issues, access the Router configuration page and re-enter your authentication information.
  [8]. Reboot the system and test the internet. You may have to reconfigure the router settings based on your setup.

Please leave both Mbam logs in your next reply. I will handle the next step after this has been done.

 

[Rollsroyce]

Mbma logs attached

Thanks so much for your time with regards this.

 

[Bobbye]

Rolls, when you run Malwarebytes, there is a line you are suppose to check to remove what is found. you didn't check that so all of the entries show "No Action Taken." Usually I would have you update the program and run it again with this checked. But in this case, it doesn't matter because all of the adware is in System Volume which is the system restore points. I will have you drop those when we're finished. but for now, understand that you should not use the system restore feature as you could reinfect the machine.
=========================
Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\\Documents and Settings\\Administrator\\temp\\TeamViewer\\Version5\\TeamViewer.exe

Folder::
c:\program files\iNetFormFiller Trial
c:\documents and settings\Administrator\Application Data\iNetFormFiller

Registry::
RegLock::
[HKEY_USERS\S-1-5-21-790525478-152049171-1417001333-500\Software\Microsoft\Internet Explorer\User Preferences]

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\WINDOWS\system32\drivers\atapi.sys

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Then Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Leave new Combofix report and Eset log in next reply/.

Did you do the DNS Flush and the router reset? Have you noticed any difference in the system?

 

[Rollsroyce]

Eset report and combofix report

Hi
Yes definately noticed a difference, not opening random windows anymore. However wireless connection lost for 24 hours, not sure if this had something to do with reports I have been running, but deleted Malaware and it started again (just for your info).

I have attached the reports, but its running so much faster anyway, so thank you.

The Eset did not provide me with a report.

Regards
Maria

 

[Bobbye]

I can't think of any reason what we have been doing would cause you to lose the wireless connection. And although I usually don't believe in coincidences, it is more likely one when you removed Mbam and the connection was restored. The ISP could have been down, there could have been line trouble, etc.

The Combofix report you left is not the one that was created after you ran the script. I need that one.

When finished, it will produce a log for you at C:\ComboFix.txt .

I wrote script to open a locked registry key and there is no change in that. The script report will show me what was removed and/or if something couldn't be found or removed.

As soon as I see these, if they are clean, I'll have you remove the leaning tools and the logs they created.

And the Eset scan should produce a log here whether it finds anything or not:
C:\Program Files\EsetOnlineScanner\log.txt