Cool.
RogueKiller has done what he can the best. Now we shall use FRST and his script power to target the leftovers and later ComboFix as I want to see what CF shall tell me at the end.
Before we go to FRST, you need to uninstall the following bad software from Control Panel > Programs and Features.
- Coupon Printer for Windows
- MyFreeCodec
--- ---
FRST's FixList--- ---
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
Folder: C:\Windows\System32\Tasks\{4856247E-DE83-4F58-B00F-607499D83E2B}
Folder: C:\Windows\System32\Tasks\{179AD9B3-38F9-49AD-BC00-0009FB0DEEEA}
Folder: C:\Windows\System32\Tasks\{E3626ACB-D49A-47CC-93EC-5CE49A588E91}
Folder: C:\Windows\SysWOW64\locale.nls
Folder: C:\Windows\system32\locale.nls
C:\Users\vince\Desktop\RK_Quarantine
C:\Users\vince\AppData\Roaming\data.sec
C:\Users\vince\AppData\Roaming\svc-mvwl.exe
C:\Users\Administrator\settings.dat
C:\Users\Loretta\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\vince\AppData\Local\Temp\file.exe
C:\Users\vince\AppData\Local\Temp\FlashPlayerUpdate.exe
C:\Users\vince\AppData\Local\Temp\FreemakeVideoDownloader_3.0.1.10.exe
C:\Users\vince\AppData\Local\Temp\FreemakeYoutubeMp3Converter_3.0.1.10.exe
C:\Users\vince\AppData\Local\Temp\i4jdel0.exe
C:\Users\vince\AppData\Local\Temp\K-Lite_Codec_Pack_Basic.exe
C:\Users\vince\AppData\Local\Temp\ntdll_dump.dll
C:\Users\vince\AppData\Local\Temp\ose00000.exe
C:\Users\vince\AppData\Local\Temp\Resource.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1382626857642.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1384216404771.exe
C:\Users\vince\AppData\Local\Temp\SamsungAPInstaller_1389968932882.exe
C:\Users\vince\AppData\Local\Temp\SHSetup.exe
C:\Users\vince\AppData\Local\Temp\sp44614.exe
C:\Users\vince\AppData\Local\Temp\sp46257.exe
C:\Users\vince\AppData\Local\Temp\sp49905.exe.exe
C:\Users\vince\AppData\Local\Temp\sp52594.exe.exe
C:\Users\vince\AppData\Local\Temp\sp53904.exe
C:\Users\vince\AppData\Local\Temp\sp54931.exe
C:\Users\vince\AppData\Local\Temp\tbFree.dll
C:\Users\vince\AppData\Local\Temp\tbProd.dll
C:\Users\vince\AppData\Local\Temp\tmpB2FA.exe
C:\Users\vince\AppData\Local\Temp\UninstallHPSA.exe
C:\Users\vince\AppData\Local\Temp\UninstallHPTCA.exe
C:\Users\vince\AppData\Local\Temp\vcredist_x64.exe
C:\Users\vince\AppData\Local\Temp\_is99FF.exe
HKLM-x32\...\Run: [] - [X]
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {51f373e6-4342-11df-bd11-d8d385744bc0} - J:\StormF1.exe
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {c46de609-5fd9-11e1-a4bd-d8d385744bc0} - J:\autorunner.exe "John Deere New Products 2012.exe"
HKU\S-1-5-21-3047364901-3158520248-2405442867-1001\...\MountPoints2: {df83d7cd-3b80-11df-b410-d8d385744bc0} - J:\StormF1.exe
URLSearchHook: HKCU - (No Name) - {b2bf7b3f-bf0b-4c48-aec6-f92c51be63e1} - No File
URLSearchHook: HKCU - (No Name) - {adca5064-9e30-43fe-9856-58b07a3149fe} - No File
SearchScopes: HKLM - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {4D3BF12C-9654-4A8E-8305-43AC46DC2424} URL = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd
SearchScopes: HKCU - {638517E6-DBA1-4546-A839-56DA82E42F8C} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3214568
Toolbar: HKCU - No Name - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
Toolbar: HKCU - No Name - {B2BF7B3F-BF0B-4C48-AEC6-F92C51BE63E1} - No File
Toolbar: HKCU - No Name - {ADCA5064-9E30-43FE-9856-58B07A3149FE} - No File
Task: {A9D7C2A0-89A7-4B5E-85C9-FD446E2AAEE5} - System32\Tasks\Go to RoboForm Install page => Rundll32.exe url.dll,FileProtocolHandler "http://www.roboform.com/test-pass.html?aaa=KICMMMLMNJJJNJKJJMMJCNKMLJKMMJCNLMLJMJNMCNGMOJGMLMCNKJOJKMMMHMKMJMOJIMNMOMJMJNJICMJMCNOMPMCNOMFMHMCNPMCNIMJMPMPMFMJMCNOMCNIMJMPMPMCNNMJNPICMOMFMMJBJKJLIMJFMOMGMNMJMJNHICMEJEJMIBJDJJNBJCMJIGJBJMJKJPNIIIIKJNIEJAJIIGJLIMJHJJNKJCMJIIIKJNIEJAJPLGIOJHJAJAJBNMJAJCJJNNICMJNDJCMKJBJ"
Task: {EB162691-097C-452A-9210-73115374A229} - System32\Tasks\Open URL by RoboForm => Rundll32.exe url.dll,FileProtocolHandler "http://www.roboform.com/test-pass.html?aaa=KICMMMLMNJJJNJKJJMMJCNKMLJKMMJCNLMLJMJNMCNGMOJGMLMCNKJOJKMMMHMKMJMOJIMNMOMJMJNJICMIMCNGMCNNMFMGMCNOMPMCNGMNMPMPMFMJMCNOMCNIMJMPMOMCNNMJNPICMOMFMMJBJKJLIMJFMLMIMMMJNHICMEJEJMIBJDJJNBJCMJIGJBJMJKJPNIIIIKJNIEJAJIIGJLIMJHJJNKJCMJIIIKJNIEJAJPLGIOJHJAJAJBNMJAJCJJNNICMJNDJCMKJBJ"
AlternateDataStreams: C:\Users\Administrator\Documents\Fwd_ Contract Changes.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Fwd_ Werkowitch_Cope Contract.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_ Werkowitch_Cope Contract 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_ Werkowitch_Cope Contract.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 2.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 3.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum 4.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Re_ Fwd_missing addendum.eml:OECustomProperty
AlternateDataStreams: C:\Users\Administrator\Documents\Summary Report for Joel singer.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\FW_ Damn economy.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\Fw_ Fw_ OOOOOH NO !!!!.eml:OECustomProperty
AlternateDataStreams: C:\Users\vince\Documents\What a split second looks like!.eml:OECustomProperty
CMD: ipconfig /flushdns
End
2. Save notepad as
fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.3. Run
FRST/FRST64 and press the
Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.The tool will make a log on the Desktop (
Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.--- ---
ComboFix--- ---
1. Please download
ComboFix by
sUBs from here and save it to your
Desktop.
If you are unsure how ComboFix works please read this guide carefully.
Note: ComboFix must be downloaded to your Desktop.--------------------------------------------------------------------
2. Temporarily disable your
AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.Instructions how to disable avast:- Right click on the avast! system tray icon () in the lower right corner of the screen and scroll up to avast! shield controls;
- In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.
Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.--------------------------------------------------------------------
3. Run
ComboFix. Click on
I Agree!- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.
- ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
-If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
- ComboFix will scan your computer in stages, total of 50 stages.
Do not mouse-click around while ComboFix is running.
Note:If you see a message like "Illegal operation attempted on a registry key that has been marked for deletion" just restart your computer.
--------------------------------------------------------------------
4. When the tool is finished, it will produce a log report for you. (typical location: C:\
ComboFix.txt )
Attach log reports ( ComboFix.txt) back to topic.