New
#11
UberGoober I recommend following Jacee's instruction.
She is one of our security experts.
Thanks so much for that link, Jacee! Gonna do it now. I'll mark the thread solved if it succeeds.
LB, those 3 brain cells are some powerful! Could I borrow one? Thanks for hanging in here with me.
UG
Last edited by UberGoober; 04 Nov 2015 at 20:25. Reason: To thank both helpers in one post
I'd like you to scan your machine with ESET OnlineScan
- Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan- Click the button.
- For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on to download the ESET Smart Installer. Save it to your desktop.
- Double click on the icon on your desktop.
- Check
- Click the button.
- Accept any security warnings from your browser.
- Check
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
OK...ESET OnlineScan came up "No threats found", so there was no "List of found threats" button to push. I could not complete steps 10 - 13.
If a log exists anyway, I'll zip it up and send it if you can tell me where it is.
Thanks so much, Jacee
UG
Last edited by UberGoober; 05 Nov 2015 at 18:46. Reason: give more info
Okay, let's run AdwCleaner:
Download AdwCleaner by Xplode and save to your Desktop.
Step 1
Step 2
- Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator.- Click on the Scan button.
- AdwCleaner will begin...be patient as the scan may take some time to complete.
- After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
- The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
- Copy and paste the contents of that logfile in your next reply.
- A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
Using AdwCleaner: Scan & Clean
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder
******Post both .txt logs
AdwCleaner scan ran for less than 1 minute.
LOG:
# AdwCleaner v5.018 - Logfile created 06/11/2015 at 07:12:00
# Updated 05/11/2015 by Xplode
# Database : 2015-11-03.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : A - A-PC
# Running from : C:\Users\A\Desktop\AdwCleaner.exe
# Option : Scan
# Support : Forum - ToolsLib
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
***** [ DLL ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
***** [ Web browsers ] *****
[C:\Users\A\AppDAtA\RoAming\MozillA\Firefox\Profiles\ht2l8yt0.default\prefs.js] [Preference] Found : user_pref("browser.search.defaultenginename.US", "Ixquick - English");
[C:\Users\A\AppDAtA\RoAming\MozillA\Firefox\Profiles\ht2l8yt0.default\prefs.js] [Preference] Found : user_pref("browser.startup.homepage", "hxxps://ixquick.com/do/mypage.pl?prf=487259a80fb2c3b412bd42d2dab01976");
########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [957 bytes] ##########
Nothing to keep, but I'd love to block all syncing. I don't want a roaming profile even when the PC gets back to normal. This malware installs on whatever machine I'm using if I log onto my ISP webmail.
I wonder if I was presented a substitute by the malware - there wasn't a "Report" button.
Oh, and I found the ESET log. The scanner never appeared to run - think these times are bogus.
ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=918e60685d3fde40b3d6a8be7889f5dc
# end=init
# utc_time=2015-11-05 07:00:15
# local_time=2015-11-05 02:00:15 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
Update Init
Update Download
Update Finalize
Updated modules version: 26584
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# EOSSerial=918e60685d3fde40b3d6a8be7889f5dc
# end=updated
# utc_time=2015-11-05 07:02:38
# local_time=2015-11-05 02:02:38 (-0500, Eastern Standard Time)
# country="United States"
# osver=6.1.7601 NT Service Pack 1
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7777
# api_version=3.1.1
# EOSSerial=918e60685d3fde40b3d6a8be7889f5dc
# engine=26584
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-11-05 07:34:14
# local_time=2015-11-05 02:34:14 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1=''
# compatibility_mode=5893 16776573 100 94 0 198295504 0 0
# scanned=102169
# found=0
# cleaned=0
# scan_time=1896
Sending this on since I've done it and the PC has to restart, so I'd have a do-over. Cleaning log to follow.
Last edited by UberGoober; 06 Nov 2015 at 07:56. Reason: additional info
Cleaning log
# AdwCleaner v5.018 - Logfile created 06/11/2015 at 07:41:48
# Updated 05/11/2015 by Xplode
# Database : 2015-11-03.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : A - A-PC
# Running from : C:\Users\A\Desktop\AdwCleaner.exe
# Option : Cleaning
# Support : Forum - ToolsLib
***** [ Services ] *****
***** [ Folders ] *****
***** [ Files ] *****
***** [ DLLs ] *****
***** [ Shortcuts ] *****
***** [ Scheduled tasks ] *****
***** [ Registry ] *****
***** [ Web browsers ] *****
[-] [C:\Users\A\AppDAtA\RoAming\MozillA\Firefox\Profiles\ht2l8yt0.default\prefs.js] [Preference] Deleted : user_pref("browser.search.defaultenginename.US", "Ixquick - English");
[-] [C:\Users\A\AppDAtA\RoAming\MozillA\Firefox\Profiles\ht2l8yt0.default\prefs.js] [Preference] Deleted : user_pref("browser.startup.homepage", "hxxps://ixquick.com/do/mypage.pl?prf=487259a80fb2c3b412bd42d2dab01976");
*************************
:: "Tracing" keys removed
:: Winsock settings cleared
########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1061 bytes] ##########
I got hijacked back to the Mozilla Start page as Home from IXQuick. I see "/do/" in lots of URLs, which change from what I type in.
Appreciate all your help so much, Jacee! UG
Okay good, now download TFC by Old Timer TFC - Temp File Cleaner by OldTimer Download - Geeks to Go Forum and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser! This will also hide all desktop shortcuts, so just be aware! They will come back after rebooting.
Using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! Manually reboot the machine to ensure a complete clean.
Tell me how your computer is acting now.
TFC never hid the desktop icons. Here's what it showed it cleaned.
TempFileCleanerLog.txt
I ran it a second time after restarting because I wanted you to see there wasn't a "Restart" button presented after the scan in the log, and this is what it looked like.
I'll have to spend some time using the PC in the morning to report its behavior. UG
Last edited by UberGoober; 06 Nov 2015 at 18:09. Reason: clarify