Removal of virus has blocked internet. PLEASE PLEASE HELP

ChronicX · 24 Jun 2015

Latest SysLook info.

"SystemLook 30.07.11 by jpshortstuff
Log created at 12:08 on 24/06/2015 by user
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*plsapp*"
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\plsapp64.dll --a---- 439296 bytes [21:33 27/05/2015] [21:33 27/05/2015] 33948FF6D642994C5831809F3234F30A
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsapp64bu.dll --a---- 439296 bytes [07:02 22/06/2015] [03:41 14/11/2013] 83B88B7DDB5F2031F6DC9DEC742AFEAE
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsappbu.dll --a---- 354592 bytes [07:02 22/06/2015] [23:12 23/01/2014] 40B9FD5561C83D37F904848F96471ED8

========== regfind ==========

Searching for "PureLeads"
[HKEY_LOCAL_MACHINE\SOFTWARE\Dyn\Installed]
"PureLeads"="PureLeads"
[HKEY_LOCAL_MACHINE\SOFTWARE\PureLeads]
[HKEY_LOCAL_MACHINE\SOFTWARE\PureLeads]
"InstallDir"="C:\Program Files (x86)\PureLeads"
[HKEY_LOCAL_MACHINE\SOFTWARE\PureLeads]
"SilverTipURL"="l.pureleads.com"

-= EOF =-"

cottonball · 24 Jun 2015

CX,

This is incredible.

Two of those entries are your backups (I think), but the rest of the entries just wont go away.

Let's go directly to the Registry.

First, let's back up: HKEY_LOCAL_MACHINE\SOFTWARE

Using this Tutorial by Brink, select Option One, Method Two: Registry - Backup and Restore

Back up: SOFTWARE

4. To Export a Registry KEY Branch
NOTE: This will allow you to backup the entire selected KEY branch under a HKEY with all of it's subkeys and key values to a .reg file as a backup.

Press the Windows key, and the R key
In the Run prompt, type in: regedit

When the Registry opens, go to the left of: HKEY_LOCAL_MACHINE\, and click the triangle on the left to expand the Key.
Next, click to expand: SOFTWARE
Click to expand Dyn > Installed

When you get to Installed, on the right side, look for: PureLeads
Highlite and right click on it, and select: Delete
OK any prompt that appears.

Next, get to HKEY_LOCAL_MACHINE\SOFTWARE\PureLeads
Highlite and right-click on PureLeads, and Delete
OK the action.

Close the Registry window.

Now, right-click the Windows orb on the Taskbar, and select: Open Windows Explorer
Go to C:\Program Files (x86)\PureLeads and delete the PureLeads folder
Do not delete the C:\Program Files (x86)\ folder!!!!!!

Next, please download System Restore Explorer:
System Restore Explorer | Nic's Blog

Scroll down to where it says History, and right above that, it says: "If you’d like to give System Restore Explorer a try then you can download it here..."

Download the program to the Desktop, and double-click the icon created to install the program.
Follow the prompts and Finish.

When the program opens, uncheck: Hide Restore Points created in the last 5 days

Look at the Restore Point (RP) dates, and select any that has a date around 27/05/2015.

Select/highlite the RP and press: Mount
The tool creates a shortcut opening a window to the particular RP and allows you to browse the RP contents.

Check for one that contains: plsapp64.dll

When you find the file, X out of the RP Window, and, back at the program console, click: Unmount

Now, highlite the same Restore Point were you found the file, and select: Delete
Close out of the program.

Restart the computer.

Run SystemLook again, and let's see what it shows.

Sure hope this will do it.

ChronicX · 24 Jun 2015

Notice in the registry how the Pure Leads file is in a folder that was not identified in scans and the areas where it supposed to be is not there.

ChronicX · 24 Jun 2015

I also found a folder called Pure Leads inside that same folder circled above. I deleted entries/folders. Restarting and then will run syslook.

ChronicX · 24 Jun 2015

This is a good sign but I seem to not be able to access the System Information Folder that houses the final DLL.?

ChronicX · 24 Jun 2015

Ooops! "SystemLook 30.07.11 by jpshortstuff
Log created at 16:17 on 24/06/2015 by user
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*plsapp*"
C:\System Volume Information\SystemRestore\FRStaging\Windows\System32\plsapp64.dll --a---- 439296 bytes [21:33 27/05/2015] [21:33 27/05/2015] 33948FF6D642994C5831809F3234F30A
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsapp64bu.dll --a---- 439296 bytes [07:02 22/06/2015] [03:41 14/11/2013] 83B88B7DDB5F2031F6DC9DEC742AFEAE
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsappbu.dll --a---- 354592 bytes [07:02 22/06/2015] [23:12 23/01/2014] 40B9FD5561C83D37F904848F96471ED8

========== regfind ==========

Searching for "PureLeads"
No data found.

-= EOF =-"

ChronicX · 24 Jun 2015

I dug my way into the System V. Info folder and quarantined and deleted the last .dll. Lookee!

"SystemLook 30.07.11 by jpshortstuff
Log created at 16:48 on 24/06/2015 by user
Administrator - Elevation successful
WARNING: SystemLook running under WOW64. Use SystemLook_x64 for accurate results.

========== filefind ==========

Searching for "*plsapp*"
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsapp64bu.dll --a---- 439296 bytes [07:02 22/06/2015] [03:41 14/11/2013] 83B88B7DDB5F2031F6DC9DEC742AFEAE
C:\Users\user\Desktop\FIX\BackupPLSAPP\plsappbu.dll --a---- 354592 bytes [07:02 22/06/2015] [23:12 23/01/2014] 40B9FD5561C83D37F904848F96471ED8

========== regfind ==========

Searching for "PureLeads"
No data found.

-= EOF =-"

The remaining other two files are just back up files I created in case of emergency.

cottonball · 24 Jun 2015

Excellent!!!

Great job, ChronicX!!!

One more thing, please.
Remove the backup copies of plsapp64.dll that you saved.

Then, download a new copy of SystemLook: Here

Do the same search as before:

Code:

:filefind
*plsapp*
 
:regfind
PureLeads

Please post the results.

I dug my way into the System V. Info folder and quarantined and deleted the last .dll

Would you mind sharing what you had to do? It may help someone else.

Did System Restore Explorer help you?

ChronicX · 24 Jun 2015

SystemLook 30.07.11 by jpshortstuff
Log created at 19:40 on 24/06/2015 by user
Administrator - Elevation successful

========== filefind ==========

Searching for "*plsapp*"
No files found.

Searching for " "
No files found.

========== regfind ==========

Searching for "PureLeads"
No data found.

-= EOF =-

Hey, Cottonball, above is the hopefully, final SystemLook report you have to look at (from me) for now. LOL

To answer your question, I used REGEDIT to search. When I used Windows Explorer to search, the remaining files were just not identified, SystemLook saw them but the paths were wrong, so as a last ditch effort I searched using REGEDIT and that exposed where the final DLLs were hiding. I didn't actually get to using System Restore Explorer as after the REGEDIT search, I knew where to aim... and the shots hit. :)

ChronicX · 24 Jun 2015