New
#41
Yes, I have 3 computers to do so.
Please "show hidden files, folders and drives" in Control Panel>File Explorer Options, "View" tab.
-----
Please uninstall the following applications:
ChromeExport your bookmarks in Chrome to an HTML file (you can import them later).
Uninstall Chrome using the instructions here:
Uninstall Google Chrome - Computer - Google Chrome Help
Be sure to delete all profile information and clear browsing history - we want nothing left on the system (except your bookmarks).
If you sync your Chrome Browser data, delete it (use Edge or IE to do this):
Quick Tip: How To Delete Your Google Chrome Browser Sync Data
Java 8 Update 121
LogMeIn
McAfee Security Scan Plus
Yahoo Search Set
-----
Whatever is on the system by IObit company, please remove it. (SmartDefrag?)
-----
Please change the DNS settings on your NIC
From: 130.67.15.198 & 193.213.112.4
To: 208.67.222.222 & 208.67.220.220
-----
Open an admin command prompt or admin powershell and enter:
ipconfig /flushdns
-----
Please copy the following exactly and paste it into Notepad. Save the file as fixlist.txt in the same folder where the Farbar (FRST) tool is running from (C:\Users\Janisin\Downloads). Run FRST and click FIX only once and wait. When it's finished it will create a log (Fixlog.txt). Please post that log.
Code:Start CreateRestorePoint EmptyTemp: CloseProcesses: Task: {33C02C52-CCB7-4FB7-9F2B-3E13439D75AC} - \SystemHealer Monitor -> No File <==== ATTENTION Task: {42AB3ED1-EDCA-4781-B9D9-994414E8141D} - System32\Tasks\SMW_UpdateTask_Time_333536383237363034362d50372d5a456c37325a347841 => Wscript.exe //B "C:\ProgramData\SearchModule\smhe.js" smu.exe /invoke /f:check_services /l:0 <==== ATTENTION Task: {5715A91F-9CEF-4E3B-A2E7-A4A86D8CFFC6} - \{78080447-0A0E-087F-0A11-7F7A7F0D110F} -> No File <==== ATTENTION Task: {908AE32D-C2C7-4FC6-8F3C-6056146FB457} - System32\Tasks\System Healer Task => C:\PROGRA~2\SYSTEM~1\RESCUE~1.EXE <==== ATTENTION Task: {A9094CB4-F599-4768-A5C0-93356813225B} - System32\Tasks\Milimili => C:\Program Files (x86)\MIO\MIO.exe [2017-05-04] () <==== ATTENTION Task: {CC5EE9C6-9C52-4411-87EC-7E310E536686} - \SystemHealer Run Delay -> No File <==== ATTENTION Task: {D2527136-A109-402E-AC24-ADD29340F413} - System32\Tasks\IBUpd2 => C:\Users\Janisin\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION Task: {E03EDFBB-11A3-41F1-B67D-AFE5EA703A33} - System32\Tasks\IBUpd => C:\Users\Janisin\AppData\Local\BrowserAir\48.0.0.0\updater.exe <==== ATTENTION Task: {F311310D-62D2-4E86-8C31-44E8AA2AAF89} - \oqnrzQS454 -> No File <==== ATTENTION Task: {F51D35EB-97ED-4E1C-9033-29B40EFE0129} - System32\Tasks\SMW_P => C:\ProgramData\smp2.exe <==== ATTENTION HKU\S-1-5-21-1197232350-3408337513-1167496310-1001\Software\Classes\regfile: regedit.exe "%1" <===== ATTENTION GroupPolicy: Restriction <======= ATTENTION HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION CHR Profile: C:\Users\Janisin\AppData\Local\Google\Chrome\User Data\ChromeDefaultData [2017-04-30] <==== ATTENTION CHR Extension: (AntiCaptcha automatic captcha solver) - C:\Users\Janisin\AppData\Local\Google\Chrome\User Data\DEFAULT\Extensions\neodgnejhhhlcdoglifbmioajmagpeci [2017-04-28] [UpdateUrl: hxxps://antcpt.com/downloads/firefox/update_manifest.json] <==== ATTENTION R3 cpuz138; C:\Users\Janisin\AppData\Local\Temp\cpuz138\cpuz138_x64.sys [27320 2017-05-02] (CPUID) <==== ATTENTION R1 ESEADriver2; C:\Users\Janisin\AppData\Local\Temp\ESEADriver2.sys [316552 2016-12-08] () <==== ATTENTION Amazon 1Button App (x32 Version: 2.3.4 - Amazon) Hidden <==== ATTENTION End
Note: this is a unique fixlist - do not use this on another computer.
-----
Permanently remove the following manually (if they exist):C:\END-----
C:\Users\Janisin\AppData\Roaming\.pgbiasfx
Open Device Manager
View>Show Hidden Devices
Expand "Non-Plug and Play Drivers"
Look for ESEADriver2
If found, right click "ESEADriver2" and select Uninstall
(we need to get rid of this, as they apparently were using user's systems for bitcoin mining, and have full admin rights in this driver.)
-----
Download the following to a flash drive (or CD) on a clean system:
RKILL
RKill Download
Download the iExplore.exe version
JRT
Junkware Removal Tool Download
RogueKiller
RogueKiller Download
ADWCleaner
Downloads - AdwCleaner - ToolsLib
Copy all the tools over to the "desktop" of the infected system.
Run the tools in this order on the infected system (note: all tools are free/have free versions):
1. RKILL
2. ADWCleaner (it will reboot)
3. RKILL (again)
4. RogueKiller (select all boxes including "PUP and PUM is malware") Delete everything in RED.
5. JRT
6. Malwarebytes Antimalware (already on system, go online, update virus definitions, run a full scan of system drive, and be sure to check the box to scan for rootkits) You may have to re-download and re-install to get it working now(?)
The system can stay online at this point.
Please post all logs from these tools for evaluation.
-----
Completely reset all browsers left on the system.
How to Reset Your Web Browser To Its Default Settings
Reset Microsoft Edge to Default in Windows 10 - Windows 10 Browsers Email Tutorials
-----
Will watch for your logs. Please remember you are 6 hours ahead of me.
Last edited by simrick; 04 May 2017 at 22:26.
Hi and thanks for the guide.
However, there are two problems with this thought. First of all AdwCleaner has been blocked by a administrator (i am the only one). The other problem is that roguekiller does not aloud to change these settings in their free version. Malwarebytes can neither run.
Last edited by Vikdal; 05 May 2017 at 08:14.
Have you tried renaming AdwCleaner & Malwarebytes to something different, such as iexplore.exe (or another random name) . Sometimes renaming scanning tools is sufficient action to allow the cleaners to run when they are blocked by malware.
If malwarebytes has installed on your system but can not run, it has a program called Chameleon that attempts to override the malware block. Instructions are here:
https://support.malwarebytes.com/cus...tem-?b_id=6447
Also there is a stand alone version that can help get it installed:
Malwarebytes | Chameleon - Free Malware Removal Tool
Malwarebytes Chameleon technologies get Malwarebytes 3 installed and running when blocked by malicious programs.
Hi!, yes I have tried renaming both applications. Also here is the logs from the programs I was able to run.Fixlog.txt LOG ROGUEKILLER.tmp.txt Rkill2.txt
EDIT: And to run Chameleon I would need a internet connection, and as far as I have seen this would let the trojan download more viruses/adwares.
And if Chameleon does not help, I would then have all the adwares that the trojan downloaded still on the PC :/
I followed the guide from word to word untill I got to ADwcleaner.
EDIT: I almost forgot, the MCafee app and no IOBits were on the system. Sorry for forgetting this.