Sign in to follow this  
doodlynn

DNS Locker Removal

Recommended Posts

Hi doodlynn,

 

1. Please disconnect external hard disks, specially I:, since some programs might start to scan them and then it would take very long time.

 

2. DNS server configuration points to malware DNS for one of the network interfaces:

Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
instead of what other interfaces use:

Tcpip\..\Interfaces\{C044EEAB-88F7-4504-8FF4-BF6C8F8F2D77}: [DhcpNameServer] 75.75.76.76 75.75.75.75

 

That needs to be changed, but to be able to do that it's necessary that the computer is clean and I see some adware/malware in the logs.

3. Please, scan with the latest version of AdwCleaner and paste the result into your reply.

 

4. Have you or the adware restricted what is possible to do with Google Chrome?

 

 

5. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

Share this post


Link to post
Share on other sites

ESET output:

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\Ask\APN-Stub\MYC-ST\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\null\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\null\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\ProgramData\null\Q.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\[email protected]\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\[email protected]\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\goblmaagcgfbjlaahdohiomenekdpnci\147\e2.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\ub.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\[email protected]\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\[email protected]\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\uninstall.exe a variant of Win32/Toolbar.Visicom.E potentially unwanted application deleted - quarantined
C:\Program Files (x86)\Superficial Supermarket\137481eb.ftf.ftf a variant of Python/Mamba.G trojan cleaned by deleting - quarantined
C:\Users\Doodlynn\AppData\Local\Temp\35320b99\406040.ftf multiple threats cleaned by deleting - quarantined
C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3I4O8P15\update30701003[1].zip a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UD9FP2H6\SearchProtectGeneric2[1].exe Win32/OutBrowse.Q potentially unwanted application deleted - quarantined
C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\711CBB1C6CEDCA636BD935BDBADB13D8AA3FF6D1 HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\AD5706430A8D21A19A090B140FFA80BCE71E9648 HTML/Iframe.B.Gen virus deleted - quarantined
C:\Users\Robert\AppData\Local\Temp\AAWInstallerTemp\v9.6.0\Ad-Aware.msi a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
C:\Users\Robert\Downloads\ManyCamSetup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined

Share this post


Link to post
Share on other sites

# AdwCleaner v5.009 - Logfile created 30/09/2015 at 00:45:01
# Updated 27/09/2015 by Xplode
# Database : 2015-09-27.1 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Doodlynn - ROBERT-PC
# Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

Folder Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmkckgpgekmanipelfidlhmkfcjicion

***** [ Files ] *****

File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage
File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage-journal
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

Task Found : Adobe Flash Player Updater

***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

***** [ Web browsers ] *****

[C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : ogminpmldncgcmokldnmmapddoccmhfl
[C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : bmkckgpgekmanipelfidlhmkfcjicion

########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [2453 bytes] ##########

Share this post


Link to post
Share on other sites

1. Have you or the adware restricted what is possible to do with Google Chrome?

 

 

2. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

 

3. Start FRST program, please.

Selectect Addition.txt and the let the program scan the computer.

Please, attach the two new log files.

Share this post


Link to post
Share on other sites

I've reset the settings in Chrome. There are no plugins. I will most likely uninstall as it seems to be too problematic.

 

# AdwCleaner v5.009 - Logfile created 30/09/2015 at 20:54:39
# Updated 27/09/2015 by Xplode
# Database : 2015-09-30.1 [server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Doodlynn - ROBERT-PC
# Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

***** [ Files ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
[!] Key Not Deleted : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

***** [ Web browsers ] *****

[-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
[-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com
[-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bmkckgpgekmanipelfidlhmkfcjicion

*************************

:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [1187 bytes] ##########

Addition.txt

FRST.txt

Share this post


Link to post
Share on other sites

1. There are several web sites in the trusted zone in Internet Explorer settings. Those web sites usually are permitted to do a lot of things in the computer and that can be dangerous if they are hacked or have a malicious ad. I recommend that you check the list and remove as many as possible of them.

 

 

2. Please, start Notepad.

Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL = 
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
S2 SessionLauncher; no ImagePath
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe 
Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe 
AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
Folder: C:\Program Files (x86)\Superficial Supermarket
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
Reboot:
and paste in Notepad. Check that no files have been split on two lines.

Save the file as fixlist.txt on the desktop.

 

Exit all programs.

Start FRST, please.

Click the Fix button.

Wait until the tool has finished and the computer is restarted.

 

It creates a log file, called Fixlog.txt, on the desktop.

Please, paste the content of that file in your reply.

Share this post


Link to post
Share on other sites

Fix result of Farbar Recovery Scan Tool (x64) Version:30-09-2015
Ran by Doodlynn (2015-10-01 11:51:35) Run:2
Running from C:\Users\Doodlynn\Desktop
Loaded Profiles: Doodlynn (Available Profiles: Robert & Doodlynn & KesoSchoolWork)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
CloseProcesses:
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [] => [X]
AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL =
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
S2 SessionLauncher; no ImagePath
R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe
Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe
AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
Folder: C:\Program Files (x86)\Superficial Supermarket
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
Reboot:
*****************

Restore point was successfully created.
Processes closed successfully.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"C:\PROGRA~2\GS_X64~1.ENA" => Value data removed successfully.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1"" => key removed successfully
"HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2"" => key removed successfully
"HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3"" => key removed successfully
"HKCR\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4"" => key removed successfully
"HKCR\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5"" => key removed successfully
"HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6"" => key removed successfully
"HKCR\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7"" => key removed successfully
"HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8"" => key removed successfully
"HKCR\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
"HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe => not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}\\NameServer => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{48B4BD82-36C2-41BF-8CBA-64C46655DA74}" => key removed successfully
HKCR\CLSID\{48B4BD82-36C2-41BF-8CBA-64C46655DA74} => key not found.
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\bmkckgpgekmanipelfidlhmkfcjicion" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cgiaikfpllchefojlnehlmpekeogihnm" => key removed successfully
C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj" => key removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol" => key removed successfully
SessionLauncher => service removed successfully
gfibto => Service stopped successfully.
gfibto => service removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
C:\Windows\System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
C:\Windows\System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A4AD6685-E712-418A-8F39-F29428BEB46C}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
C:\Windows\System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{57254D63-0CAE-4F1D-AF76-A061B3AA0929}" => key removed successfully
"C:\Users\Doodlynn\Desktop\FRST64.exe" => ":BDU" ADS not found.
C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe => ":BDU" ADS removed successfully.
C:\Users\Doodlynn\Downloads\setup.exe => ":BDU" ADS removed successfully.
C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe => ":BDU" ADS removed successfully.

========================= Folder: C:\Program Files (x86)\Superficial Supermarket ========================

====== End of Folder: ======

========= ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

========= netsh winsock reset catalog =========

Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.

========= End of CMD: =========

========= netsh int ip reset c:\resetlog.txt =========

Reseting Global, OK!
Reseting Interface, OK!
Reseting Route, OK!
Restart the computer to complete this action.

========= End of CMD: =========

 

The system needed a reboot..

==== End of Fixlog 11:52:30 ====

Share this post


Link to post
Share on other sites

Do you still have dnslocker ads?

If yes, please run FRST again and attach the two new logs.

Share this post


Link to post
Share on other sites

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Thank You !

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this