Yourtv malware

[hamzamb]

My browsers are infected by yourtv.link

please find attached my logs below.

thanks in advance for the help

[essexboy]

Let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKLM\...\Run: [] => [X]
HKU\S-1-5-21-3321735017-2395750582-1160152328-1001\...\Run: [pleasant] => C:\ProgramData\pleasant.exe [12740169 2015-08-18] (Newark Tech, Inc.)
CHR HKU\S-1-5-21-3321735017-2395750582-1160152328-1001\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Startup: C:\Users\Hamza B\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Hamza B.exe [2015-08-19] (Newark Tech, Inc.)
2015-09-25 11:16 - 2015-05-23 14:43 - 00000000 __SHD C:\Users\Hamza B\AppData\Local\EmieUserList
2015-09-25 11:16 - 2015-05-23 14:43 - 00000000 __SHD C:\Users\Hamza B\AppData\Local\EmieSiteList
2015-09-25 11:16 - 2015-05-23 14:43 - 00000000 __SHD C:\Users\Hamza B\AppData\Local\EmieBrowserModeList
015-08-19 20:56 - 2015-08-18 02:29 - 12740169 ___SH (Newark Tech, Inc.) C:\ProgramData\pleasant.exe
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S0].txt as well.
  

[hamzamb]

Hi,

   I ran the programs as you asked. Find attached the logs below. I didn't find the file as you said. but I found this in the adwcleaner folder

Thanks,
Hamza

[Pondus]

and the fix log?

[essexboy]

How is the computer now ?

[hamzamb]

Is this the Fix log?

also when i open a new tab and search on google it uses this search engine by default. (image attached below)

Thanks,
Hamza.

[essexboy]

Are you still getting it in Chrome ?  DO you have chrome set to synch ?

[mikaelrask]

hey see essexboys first replay to you. please follow his instruction and run the fix he have posted for you:)

[hamzamb]

yes I am signed into chrome

[essexboy]

OK then each time you start chrome it will download it again.  We need to stop the synch and then clean it up again 

1. I need you to go Google Sync and sign into your account
2. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"

Then run a fresh FRST scan

[hamzamb]

Hi,

    Sorry about that here is the new scan.

Hamza.

[essexboy]

Let me know how the computer is after this

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CHR StartupUrls: Default -> "chrome://newtab/"
2015-08-19 20:56 - 2015-08-18 02:29 - 12740169 ___SH (Newark Tech, Inc.) C:\ProgramData\pleasant.exe
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[hamzamb]

here is the FRST log

[essexboy]

How is chrome behaving now ?

[hamzamb]

chrome is still using that custom search. In settings that search engine is set as default and when I try to change, it says "this setting has been enforced by your administrator". see attached image. thanks