Sign in to follow this  
bigfootyeti1

Need Help Removing Infection

Recommended Posts

I'm having trouble whenever I access my browser. On certain sites ad boxes will pop up saying ads by La Superba and on almost any page when I try to click or scroll a new tab will open up and say something along the lines of this page isn't safe or it may even be another ad page. Any help would be appreciated.

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

1. Please, uninstall "Java 8 Update 40" since it's an old version with known vulnerabilities that can be exploited by a web page to infect the computer. If you really need to have Java installed, it's very important to always have the latest version.

 

 

2. Do you have the same problems in all your browsers?

 

 

3. Please, move FRST program from Downloads folder to the Desktop.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
cmd: sfc /scanfile=C:\WINDOWS\system32\dnsapi.dll
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

4. Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[R0].txt.

Share this post


Link to post
Share on other sites

Yes all the browsers I use, Microsoft Edge and Google Chrome, are afflicted. Here is the info you asked for.

# AdwCleaner v5.002 - Logfile created 09/09/2015 at 13:01:57
# Updated 18/08/2015 by Xplode
# Database : 2015-09-08.2 [server]
# Operating system : Windows 10 Home (x64)
# Username : Mitchell - THEPORTALOF
# Running from : C:\Users\Mitchell\Desktop\ADWcleaner.exe
# Option : Scan
***** [ Services ] *****
Service Found : bsdriver
***** [ Folders ] *****

***** [ Files ] *****
File Found : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage
File Found : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage-journal
File Found : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage
File Found : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage-journal
File Found : C:\WINDOWS\Sysnative\drivers\bsdriver.sys
File Found : C:\WINDOWS\Sysnative\drivers\cherimoya.sys
***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****
Key Found : HKCU\Software\AppDataLow\Software\adawarebp
***** [ Web browsers ] *****

########## EOF - C:\AdwCleaner\AdwCleaner[s2].txt - [1276 bytes] ##########

 

Fixlog.txt

Share this post


Link to post
Share on other sites

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

 

2. Please, scan the computer with Kaspersky and Ad-Aware.

 

 

3. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

 

 

4. Start FRST and select Addition.txt.

Scan and attach the two new log files.

Share this post


Link to post
Share on other sites
Here are the files and the log from adwcleaner.
# AdwCleaner v5.002 - Logfile created 09/09/2015 at 17:24:50
# Updated 18/08/2015 by Xplode
# Database : 2015-09-08.2 [server]
# Operating system : Windows 10 Home (x64)
# Username : Mitchell - THEPORTALOF
# Running from : C:\Users\Mitchell\Desktop\ADWcleaner.exe
# Option : Cleaning
***** [ Services ] *****
[-] Service Deleted : bsdriver
***** [ Folders ] *****

***** [ Files ] *****
[-] File Deleted : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage
[-] File Deleted : C:\Users\Mitchell\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_pstatic.bestpriceninja.com_0.localstorage-journal
[-] File Deleted : C:\WINDOWS\Sysnative\drivers\bsdriver.sys
[-] File Deleted : C:\WINDOWS\Sysnative\drivers\cherimoya.sys
***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****
[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
***** [ Web browsers ] *****

*************************
:: Proxy settings cleared
:: Winsock settings cleared
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1415 bytes] ##########

eseT.txt

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

The following script will delete all files in Recycle Bins and temporary folders. Please, check that you don't store anything you want to keep there.

 

Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [gmsd_us_005010063] => [X]
HKLM-x32\...\Run: [gmsd_us_005010076] => [X]
SearchScopes: HKU\S-1-5-21-2469781037-4177332697-2939502211-1001 -> DefaultScope {61F4AA87-3981-47A1-A195-3615E49CF9EF} URL = 
SearchScopes: HKU\S-1-5-21-2469781037-4177332697-2939502211-1001 -> {61F4AA87-3981-47A1-A195-3615E49CF9EF} URL = 
FF HKLM\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
FF HKLM-x32\...\Firefox\Extensions: [{0420BEC0-F2C1-4578-8F19-471B9E5C63A5}] - C:\Program Files\shopperz240820151333\Firefox
R2 WWatcherProxy; C:\Program Files (x86)\ServiceUpdater\WWatcherProxy.exe [1741328 2015-08-18] (WWatcher)
S4 gojicije;  [X]
R1 bsdriver; C:\WINDOWS\system32\drivers\bsdriver.sys [34720 2015-08-31] ()
S3 utm5oda2; C:\WINDOWS\SysWOW64\Drivers\utm5oda2.sys [7168 2015-09-02] () [File not signed]
2015-09-03 21:53 - 2015-09-03 21:53 - 00236080 _____ (Trend Micro Inc.) C:\WINDOWS\RegBootClean64.exe
2015-09-03 21:52 - 2015-09-03 21:52 - 00530110 _____ C:\Users\Mitchell\AppData\Local\census.cache
2015-09-03 21:52 - 2015-09-03 21:52 - 00210040 _____ C:\Users\Mitchell\AppData\Local\ars.cache
2015-09-03 21:52 - 2015-09-03 21:52 - 00000010 _____ C:\Users\Mitchell\AppData\Local\sponge.last.runtime.cache
2015-09-03 21:40 - 2015-09-03 21:40 - 00000036 _____ C:\Users\Mitchell\AppData\Local\housecall.guid.cache
2015-09-03 21:40 - 2015-05-29 03:43 - 00307352 _____ (Trend Micro Inc.) C:\WINDOWS\system32\Drivers\tmcomm.sys
2015-09-03 03:25 - 2015-09-03 03:25 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsqE0A0.tmp
2015-09-03 00:29 - 2015-09-03 00:31 - 00000000 ____D C:\ProgramData\wNIgtVGor
2015-09-03 00:29 - 2015-09-03 00:29 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsz2BCD.tmp
2015-09-02 06:00 - 2015-09-02 06:00 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsj99B0.tmp
2015-09-02 05:08 - 2015-09-02 05:08 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsr2B45.tmp
2015-08-31 19:55 - 2015-08-31 19:55 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nss3474.tmp
2015-08-31 19:54 - 2015-08-31 19:54 - 00034720 _____ () C:\WINDOWS\system32\Drivers\bsdriver.sys
2015-08-31 19:51 - 2015-09-06 12:54 - 00000000 ____D C:\Program Files\shopperz240820151333
2015-08-31 19:51 - 2015-08-31 19:51 - 00000004 _____ C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-31 19:51 - 2015-08-31 19:51 - 00000000 ____D C:\WINDOWS\system32\abis
2015-08-31 19:51 - 2015-08-20 11:46 - 00056736 _____ (Windows (R) Win 7 DDK provider) C:\WINDOWS\system32\Drivers\cherimoya.sys
2015-08-25 11:51 - 2015-09-02 05:16 - 00007168 _____ C:\WINDOWS\SysWOW64\Drivers\utm5oda2.sys
2015-08-23 22:55 - 2015-08-24 17:03 - 00009536 _____ C:\WINDOWS\SysWOW64\WWatcherProxyOff.ini
2015-08-23 22:55 - 2015-08-24 17:03 - 00009536 _____ C:\WINDOWS\system32\WWatcherProxyOff.ini
2015-08-23 22:55 - 2015-08-23 22:55 - 00000000 ____D C:\Program Files (x86)\ServiceUpdater
2015-08-23 22:55 - 2015-08-18 19:04 - 00356016 _____ (WWatcher) C:\WINDOWS\system32\WWatcherLSP64.dll
2015-08-23 22:55 - 2015-08-18 19:04 - 00305608 _____ (WWatcher) C:\WINDOWS\SysWOW64\WWatcherLSP.dll
2015-08-18 10:59 - 2015-08-18 10:58 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsz58A2.tmp
2015-08-18 10:30 - 2015-08-18 10:29 - 00613255 _____ (CMI Limited) C:\Users\Mitchell\AppData\Local\nsgFC99.tmp
C:\Windows\System32\drivers\wsafd_1_10_0_19.sys
Folder: C:\ProgramData\Jaivjriihi
Folder: C:\ProgramData\Service1291
cmd: sfc /scanfile=C:\Windows\SysWOW64\dnsapi.dll
EmptyTemp:
and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished and the computer is restarted.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your reply.

Share this post


Link to post
Share on other sites

1. Two drivers couldn't be removed and I need to see the error messages.

Please, start an elevated Command Prompt by right-clicking Start button and selecting Command Prompt (Admin).

Enter these commands:

 

sc stop bsdriver

sc qc bsdriver

sc qprivs bsdriver

 

Copy the result and paste into your reply.

 

 

2. Scan the computer with Kaspersky and Ad-Aware, and let me know what they find.

 

 

3. Please, save RougueKiller on the Desktop. http://www.adlice.com/softwares/roguekiller/

For 32 bits Windows: Click on one of the first three button labelled "Portable 32 bits".
For 64 bits Windows: Click on one of the first three button labelled "Portable 64 bits".

Turn off all running programs and remove any external drives and other devices connected with USB etc. except mouse and keyboard.

Start RougueKiller (in Vista and Windows 7 right-click the program and select "Run as administrator"). If it won't start, try several times. If you still are unsuccessful, rename the file to winlogon.exe.

Wait until "Prescan" has finished.
Click on Scan button in upper right corner.
Wait until the scan has finished.
Click on Report button.
A report will be created.
Please, post it in your reply.

Share this post


Link to post
Share on other sites

Ad-Aware detected cookies, and those are never a sign of an infected computer.

 

 

Turn off all programs including antivirus program and similar programs.

Run RogueKiller (in Vista and later Windows versions right-click the program and select "Run as administrator").
Wait until "Prescan" has finished.

Select the "Registry" tab and select the following entries (if not already selected):

[PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\bsdriver -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bsdriver -> Found

Select the "MBR" tab and deselect everything.
Click the "Delete" button.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
R1 bsdriver; C:\WINDOWS\system32\drivers\bsdriver.sys [34720 2015-08-31] ()
C:\WINDOWS\system32\drivers\bsdriver.sys
C:\WINDOWS\system32\Drivers\cherimoya.sys
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Start FRST, please.
Click the Fix button.
Wait until the tool has finished and the computer is restarted.

FRST creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

A new report with a name similar to RKreport.txt should have been created on the desktop.
Please, paste the content of that file in your reply.

 

 

Do you have a flash (thumb) drive that can be used if the above script can't delete the two drivers?

Share this post


Link to post
Share on other sites

Please, copy Farbar Recovery Scan Tool (FRST) to the flash drive.

You need to restart the computer and start a Command Prompt without starting all of Windows and you do this by following the description on http://www.tenforums.com/tutorials/2880-command-prompt-boot-open-windows-10-a.html .

 

In the Command Prompt, please enter:

notepad
Press the Enter key.
The Notepad program starts.
Select: File menu -> Open
Select: Computer
Find your flash drive and write down its device letter, e.g. G:.
Exit Notepad.

In the Command prompt enter this command, please:

 

g:\frst64.exe
but replace "g" with the device letter of your flash drive. Press Enter key.
FRST program will start to run.

Read the disclaimer and click Yes to accept it.
Click Scan button.
When done, FRST will make a log file, called FRST.txt, on the flash drive.

Please, start Windows as usual (enter Exit in Command Prompt), and attach the FRST.txt on the flash drive to you reply.

Share this post


Link to post
Share on other sites

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this