Computer locked up with a virus!!

07 Jun 2015   #1

Windows 7 Home Premium
Computer locked up with a virus!!

I think I have a big time virus. I'm on an hp laptop running Windows 7. Soon as I go online I get a pop up : "WARNING! Your computer may be highly infected! " it goes on to tell me to call a 1-800 number ruIght away. I know it's a scam. But I can't get rid of this thing! I tried running panda and malware. Deleted the explorer file in safe mode. It just recreated itself on start up. The file that is causing this mayhem is softput.xx/virus-alert. Anyone run into this? Any ideas how to neutralize it? Thanks

07 Jun 2015   #2

Microsoft Community Contributor Award Recipient


Hello Going4joe and welcome to Seven Forums.

I'm not a security expert. Hopefully one of the Forum experts will join in with better information. In the meantime, see if you can run the free Malwarebytes Chameleon. It might be able to remove the softput files.
07 Jun 2015   #3

Windows 7 Home Premium


Please use the tool: Zoek

First, temporarily disable your AV program.
Info on how to disable your security applications > How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides

Zoek Download >

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator (Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
ipconfig /flushdns;b
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed log is opened after the reboot.

Please attach the zoek-results.log in your reply.

Also, please provide an update on how the computer is behaving after running the above script.

If the window that is labeled "Windows Firewall" asking to call a number to remove viruses from the computer, and, is causing this problem, does not allow you to install or run any malware seeking software, there are other diagnostic options that may prove helpful.

However, we will cross that bridge if we need to.

Attached Images
Computer locked up with a virus!!-capture.png 
08 Jun 2015   #4

Windows 7 Home Premium

Thank you for your information. I ran Zoek. It spit out a lot of data at the end. I rebooted. Opened up Explorer.

Unfortunately the virus still lives....
08 Jun 2015   #5

Windows 7 Home Premium

Need to see the data it 'spit out'!

Please provide the zoek-results.log in your reply.
08 Jun 2015   #6

Windows 7 Home Premium

okay... here is the data:

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by wendy on Mon 06/08/2015 at 17:22:00.71.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\wendy\Desktop\zoek\zoek.exe [Scan all users] [Script inserted] 
==== Older Logs ======================
C:\zoek-results2015-06-08-235944.log 8167 bytes
==== System Restore Info ======================
6/8/2015 5:24:59 PM Zoek.exe System Restore Point Created Successfully.
==== Empty Folders Check ======================
C:\Users\wendy\AppData\Roaming\hpqLog deleted successfully
==== Deleting CLSID Registry Keys ======================
==== Deleting CLSID Registry Values ======================
==== Deleting Services ======================
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CAiNNK deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\globalUpdate deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\globalUpdatem deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Util Primary Color deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Util Primary Color deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Update Primary Color deleted successfully
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Update Primary Color deleted successfully
==== Batch Command(s) Run By Tool======================
==== Deleting Files \ Folders ======================
C:\PROGRA~3\WebShield deleted
C:\Users\wendy\AppData\Roaming\inminet deleted
C:\windows\SysNative\Tasks\EbonmediaUpdater deleted
C:\windows\SysNative\Tasks\Irsleoblawoxi deleted
C:\PROGRA~2\globalUpdate deleted
C:\PROGRA~2\Wajam deleted
C:\Users\wendy\AppData\Local\Weather_Protector_LLC deleted
C:\Users\wendy\AppData\Local\globalUpdate deleted
C:\Users\wendy\AppData\Local\StormWatch deleted
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\StormWatch deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GAMESDESKTOP deleted
C:\Users\wendy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StormWatch deleted
C:\Windows\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-1-6.job deleted
C:\Windows\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-1-7.job deleted
C:\Windows\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-10_user.job deleted
C:\Windows\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-5.job deleted
C:\Windows\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-5_user.job deleted
C:\windows\SysNative\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-1-6 deleted
C:\windows\SysNative\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-1-7 deleted
C:\windows\SysNative\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-10_user deleted
C:\windows\SysNative\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-5 deleted
C:\windows\SysNative\Tasks\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-5_user deleted
C:\Windows\tasks\globalUpdateUpdateTaskMachineCore.job deleted
C:\Windows\tasks\globalUpdateUpdateTaskMachineUA.job deleted
C:\windows\SysNative\tasks\globalUpdateUpdateTaskMachineCore deleted
C:\windows\SysNative\tasks\globalUpdateUpdateTaskMachineUA deleted
C:\END deleted
C:\Users\wendy\AppData\Roaming\Ebon\Ebon\Profiles\3m0l7wtp.default\jetpack deleted
C:\Users\wendy\AppData\Roaming\Ebon\Ebon\Profiles\3m0l7wtp.default\extensions\ deleted
"C:\PROGRA~3\xtdpJdV\CAiNNK.dat" not deleted
"C:\PROGRA~3\xtdpJdV\CAiNNK.exe" deleted
"C:\PROGRA~3\xtdpJdV\info.dat" not deleted
"C:\PROGRA~2\MediaPlayerVid2.4\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-1-6.exe" deleted
"C:\PROGRA~2\MediaPlayerVid2.4\d24eb2d0-1830-4d8f-b3af-3519a7f17e23-10.exe" deleted
"C:\PROGRA~2\gmsd_us_674\gmsd_us_674.exe" deleted
"C:\PROGRA~2\gmsd_us_674\gmsd_us_674.exe" deleted
"C:\Users\wendy\AppData\Local\gmsd_us_674\upgmsd_us_674.exe" deleted
"C:\Users\wendy\AppData\Local\gmsd_us_674\upgmsd_us_674.exe" deleted
"C:\PROGRA~2\Primary Color\updatePrimaryColor.exe" deleted
"C:\PROGRA~3\xtdpJdV\dat\iyCCOHsvC.exe" not deleted
"C:\PROGRA~3\xtdpJdV\dat\iyCCOHsvC.exe.config" not deleted
"C:\PROGRA~3\xtdpJdV\dat\rrMClzKFJPg.dll" not deleted
"C:\PROGRA~3\xtdpJdV\dat\SNFfiIpJWV.exe" not deleted
"C:\PROGRA~3\xtdpJdV\dat\SNFfiIpJWV.exe.config" not deleted
"C:\PROGRA~3\xtdpJdV\dat\yebWXcu.dll" not deleted
"C:\PROGRA~2\Primary Color\bin\7dfbf927c50d481c8328ce452cb772ad.dll" deleted
"C:\PROGRA~2\Primary Color\bin\7dfbf927c50d481c8328ce452cb772ad64.dll" deleted
"C:\PROGRA~2\Primary Color\bin\PrimaryColor.BrowserAdapter.exe" deleted
"C:\PROGRA~2\Primary Color\bin\PrimaryColor.BrowserAdapter64.exe" deleted
"C:\PROGRA~2\Primary Color\bin\PrimaryColor.expext.exe" deleted
"C:\PROGRA~2\Primary Color\bin\PrimaryColor.expextdll.dll" deleted
"C:\PROGRA~2\Primary Color\bin\utilPrimaryColor.exe" deleted
"C:\PROGRA~3\xtdpJdV" not deleted
"C:\PROGRA~2\MediaPlayerVid2.4" not deleted
"C:\PROGRA~2\gmsd_us_674" deleted
"C:\PROGRA~2\gmsd_us_674" deleted
"C:\Users\wendy\AppData\Local\gmsd_us_674" deleted
"C:\Users\wendy\AppData\Local\gmsd_us_674" deleted
"C:\PROGRA~2\Primary Color" not deleted
"C:\PROGRA~3\xtdpJdV\dat" not deleted
"C:\PROGRA~2\Primary Color\bin" not deleted
==== Firefox Start and Search pages ======================
ProfilePath: C:\Users\wendy\AppData\Roaming\Mozilla\Firefox\Profiles\bnqt1k3b.default
user_pref("browser.startup.homepage", "");
==== Firefox Proxy Settings ======================
ProfilePath: C:\Users\wendy\AppData\Roaming\Mozilla\Firefox\Profiles\bnqt1k3b.default
user_pref("network.proxy.type", 5);
==== Firefox Extensions Registry ======================
"{27182e60-b5f3-411c-b545-b44205977502}"="C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\firefoxextension\SearchHelperExtension" [06/08/2015 04:14 PM]
==== Firefox Extensions ======================
==== Firefox Plugins ======================
Profilepath: C:\Users\wendy\AppData\Roaming\Mozilla\Firefox\Profiles\bnqt1k3b.default
31DA97B4682187C6639BBE2215814FDA - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll - Shockwave for Director / Shockwave for Director
==== Set IE to Default ======================
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"=""
==== All HKCU SearchScopes ======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="{searchTerms}"
{E2AF8FE5-DFB1-4E94-9B62-3B7A3BD32222} Wikipedia Url="{searchTerms}"
{F191E2D0-A733-49B2-BD90-11328D61EBD0} Bing Url="{searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox"
==== Deleting CLSID Registry Keys ======================
HKEY_USERS\S-1-5-21-4030634988-410349047-2056894908-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{b0a28f54-b08f-4049-a9bf-8d33bd1e9222} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{b0a28f54-b08f-4049-a9bf-8d33bd1e9222} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b0a28f54-b08f-4049-a9bf-8d33bd1e9222} deleted successfully
==== Deleting CLSID Registry Values ======================
==== Reset IE Proxy ======================
Value(s) before fix:
Value(s) after fix:
==== Deleting Registry Keys ======================
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{e20d6e44-c692-4329-d495-57e2996fc3ed} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\StormWatch deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WajaInternetEnhancer deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\gmsd_us_674_is1 deleted successfully
HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\44e6d02e296c92344d59752e99f63cde deleted successfully
==== Empty IE Cache ======================
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Default\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\networkservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N785XWKK will be deleted at reboot
==== Empty FireFox Cache ======================
No FireFox Cache found
==== Empty Chrome Cache ======================
No Chrome User Data found
==== Empty All Flash Cache ======================
Flash Cache Emptied Successfully
==== Empty All Java Cache ======================
No Java Cache Found
==== C:\zoek_backup content ======================
C:\zoek_backup (files=160 folders=48 45787621 bytes)
==== Empty Temp Folders ======================
C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\wendy\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot
==== After Reboot ======================
==== Empty Temp Folders ======================
C:\Windows\Temp successfully emptied
C:\Users\wendy\AppData\Local\Temp successfully emptied
==== Empty Recycle Bin ======================
C:\$RECYCLE.BIN successfully emptied
==== Deleting Files / Folders ======================
"C:\PROGRA~3\xtdpJdV\CAiNNK.dat" not found
"C:\PROGRA~3\xtdpJdV\info.dat" not found
"C:\PROGRA~3\xtdpJdV\dat\iyCCOHsvC.exe" not found
"C:\PROGRA~3\xtdpJdV\dat\iyCCOHsvC.exe.config" not found
"C:\PROGRA~3\xtdpJdV\dat\rrMClzKFJPg.dll" not found
"C:\PROGRA~3\xtdpJdV\dat\SNFfiIpJWV.exe" not found
"C:\PROGRA~3\xtdpJdV\dat\SNFfiIpJWV.exe.config" not found
"C:\PROGRA~3\xtdpJdV\dat\yebWXcu.dll" not found
"C:\PROGRA~3\xtdpJdV" not found
"C:\PROGRA~2\MediaPlayerVid2.4" not found
"C:\PROGRA~2\Primary Color" not found
"C:\Users\wendy\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N785XWKK" not found
==== EOF on Mon 06/08/2015 at 18:31:37.76 ======================
08 Jun 2015   #7

Windows 7 Home Premium

Thanks for posting the report.

Would have thought that after running Zoek, and a reboot, the message from website would have been gone...

Let's give this a whirl to see if it finds the culprit:

Please use the Farbar Recovery Scan Tool.
Download: Farbar Recovery Scan Tool Download
Select the version that applies to your system.
Save it to your Desktop.

Double-click the downloaded file to run it.
When the tool opens, click Yes to the disclaimer.

Press the Scan button.

When done, the tool makes a log, FRST.txt, in the same directory from which the tool is run (Desktop).

Please provide the FRST.txt in your reply.

The first time the tool is run, it also creates another log: Addition.txt
Also post the Addition.txt in your reply.
 Computer locked up with a virus!!

