Ran Run Me First - still have problems...

Discussion in 'Malware Help (A Specialist Will Reply)' started by gamecock, Feb 22, 2015.

  1. gamecock

    gamecock Private E-2

    I was downloading a free pdf version of a textbook a couple day ago and believe that I have downloaded a virus (or two).

    Since then I have noticed several issues. I do not know if they are related or not.

    - I can see a program called internetport3.exe is running in my task manager, which I can not kill. Every time I kill the process it comes right back instantly. I've read online that this is a dangerous virus and should be removed immediately.

    - If I go to google.com I redirected to a page that says that "This Connection is Untrusted". The details of the certificate show the Organization as "DO_NOT_TRUST" and the Organizational Unit as "Created by http://ww.fiddler2.com. This appears to only happen in Firefox. I have not (intentionally) downloaded the Fiddler2 program.

    - In both Firefox and Chrome a popup window starts playing an advertisement video through something called jwplayer. If I use firebug I can see the source of the videos is from a site called vid4fun.net or everclips.net

    - When rebooting computer two command line windows pop up (blank black windows that have "SysWow64\cmd.exe" and "SysWow64\taskkill.exe" in the title bar

    - If I open the Chrome browser, the task manager starts listing about 10-15 processes with the description of "Chromium" or "Google Chrome" - which greatly slows down the speed of the computer

    It's possible that not all of these are virus related, but they did not start happening until a couple days ago when I was looking around online for a free version of a textbook.

    I have gone through the Run Me first steps and have attached my logs.

    Thank you in advance for your help!

    --Aaron
     

    Attached Files:

    gamecock, Feb 22, 2015
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. :)

    Uninstall the below using Revo Uninstaller....

    • iReport 3.7.0
    • iReport 4.5.1
    • Jaspersoft iReport Designer Professional 4.0
    • Jaspersoft iReport Designer Professional 4.7.0
    • Jaspersoft iReport Designer Professional 5.0.0
    • Jaspersoft iReport Designer Professional 5.6.0
    • Jaspersoft Studio Professional 5.5.0.final



    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Run | Systemmonitor : "C:\ProgramData\windows monitor\skskjbpjx.exe" -> Found
    • [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Run | Systemmonitor : "C:\ProgramData\windows monitor\skskjbpjx.exe" -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\699fd52f ("C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BackupService (C:\Users\Monolith\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\qknfd (system32\drivers\qknfd.sys) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\699fd52f ("C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BackupService (C:\Users\Monolith\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qknfd (system32\drivers\qknfd.sys) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\699fd52f ("C:\Windows\system32\rundll32.exe" "c:\progra~3\assist~1\AssistantSvc.dll",service) -> Found
    • [Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BackupService (C:\Users\Monolith\AppData\Roaming\HP SimpleSave Application\uUACTokenSvc.exe) -> Found
    • [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\qknfd (system32\drivers\qknfd.sys) -> Found
    • [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
    • [PUM.Proxy] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877 -> Found
    • [PUM.Proxy] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:61038;https=127.0.0.1:61038 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:61038;https=127.0.0.1:61038 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:8877;https=127.0.0.1:8877 -> Found
    • [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:61038;https=127.0.0.1:61038 -> Found
    • [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:61038;https=127.0.0.1:61038 -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.

    ...and the very same for these items on the Tasks tab please...

    • [Suspicious.Path] WS.Enabler-S-71009536.job -- c:\programdata\setapp\ws.enabler\WS.Enabler.exe (/schedule /profile "c:\programdata\setapp\ws.enabler\71009536.ini") -> Found
    • [Suspicious.Path] \\DTReg -- C:\Users\Monolith\AppData\Roaming\DefaultTab\DefaultTab\DTReg.exe -> Found
    • [Suspicious.Path] \\Special IC Runner -- %LOCALAPPDATA%\F99957B3-07FD-6148-9554-13C7887D5FC1\Runner.exe -> Found
    • [Suspicious.Path] \Microsoft\Windows\Maintenance\Advanced IC Updating -- %LOCALAPPDATA%\F99957B3-07FD-6148-9554-13C7887D5FC1\Runner.exe (--Update) -> Found

    ..and for these on HOST File tab...

    • [C:\Windows\System32\drivers\etc\hosts] 172.16.0.6 procyon
    • [C:\Windows\System32\drivers\etc\hosts] 172.16.0.20 hashpee
    • [C:\Windows\System32\drivers\etc\hosts] 172.16.0.11 office
    • [C:\Windows\System32\drivers\etc\hosts] 172.16.0.13 alya
    • [C:\Windows\System32\drivers\etc\hosts] 172.16.0.9 deneb
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost
    • [C:\Windows\System32\drivers\etc\hosts] 127.0.0.1 localhost

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.





    Re run Hitman Pro and have it remove all that it finds...

    Re run Malware Bytes, see if it finds anything else to remove.



    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
    • O1 - Hosts: 172.16.0.6 procyon
    • O1 - Hosts: 172.16.0.20 hashpee
    • O1 - Hosts: 172.16.0.11 office
    • O1 - Hosts: 172.16.0.13 alya
    • O1 - Hosts: 172.16.0.9 deneb
    • O2 - BHO: (no name) - AutorunsDisabled - (no file)
    • O4 - HKLM\..\Run: [cutoauto] C:\a\wincheckfe.exe
    • O4 - HKLM\..\Run: [interpee] C:\a\internetport3.exe
    • O4 - HKLM\..\Run: [autoauto] 44613242.bat
    • O4 - HKCU\..\Run: [rutoauto] 44613242.bat
    • O4 - HKCU\..\Run: [dutoauto] C:\a\wincheckfe.exe
    • O4 - HKCU\..\Run: [interpee] C:\a\internetport3.exe
    • O4 - HKCU\..\Run: [Systemmonitor] \Windows\Explorer.exe
    • O4 - Startup: intr.lnk = C:\a\87438863.bat
    • O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    • O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    • O9 - Extra button: (no name) - AutorunsDisabled - (no file)
    • O20 - AppInit_DLLs: c:\progra~3\assist~1\assist~1.dll

    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix exit HJT.


    Delete these if you see them:

    • C:\ProgramData\windows monitor
    • C:\Users\Monolith\AppData\Local\Ni2CLy52slRvf2XAnPCJ.html
    • C:\ProgramData\goreatSSAoVeeri
    • C:\ProgramData\TopApp soft
    • C:\Program Files (x86)\FastInternet
    • C:\Program Files (x86)\goreatSSAoVeeri
    • C:\Windows\SysWOW64\44613242.bat



    Download Cleano 0.61

    Download it to your desktop, Right click the cleano.exe file and run as admin > and place check marks in the boxes as follows (click on link below to see image)

    View attachment 148092
    Click clean now and exit the program.


    http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    • Now re run both Hitman Pro and RogueKiller (just scans) - attach logs from them please.
    • Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    • Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
    Kestrel13!, Feb 23, 2015
    #2
  3. gamecock

    gamecock Private E-2

    Hello,

    Here are the issues I listed in my initial email and their current status...

    - I can see a program called internetport3.exe is running in my task manager, which I can not kill. Every time I kill the process it comes right back instantly. I've read online that this is a dangerous virus and should be removed immediately. STATUS IS THE SAME

    - If I go to google.com I redirected to a page that says that "This Connection is Untrusted". The details of the certificate show the Organization as "DO_NOT_TRUST" and the Organizational Unit as "Created by http://ww.fiddler2.com. This appears to only happen in Firefox. I have not (intentionally) downloaded the Fiddler2 program. STATUS IS THE SAME

    - In both Firefox and Chrome a popup window starts playing an advertisement video through something called jwplayer. If I use firebug I can see the source of the videos is from a site called vid4fun.net or everclips.net
    STATUS IS THE SAME

    - When rebooting computer two command line windows pop up (blank black windows that have "SysWow64\cmd.exe" and "SysWow64\taskkill.exe" in the title bar FIXED - POP UP WINDOWS NO LONGER APPEAR

    - If I open the Chrome browser, the task manager starts listing about 10-15 processes with the description of "Chromium" or "Google Chrome" - which greatly slows down the speed of the computer APPEARS TO BE FIXED. WHENEVER I CLOSE MY CHROME SESSION THE INDIVIDUAL PROCESSES ARE KILLED AUTOMATICALLY - UNLIKE BEFORE WHERE THEY REMAINED EVEN AFTER I CLOSED OUT CHROME

    I have attached the most recent logs that you requested. I also deleted/uninstalled the programs and files you suggested.

    Again, thank you in advance for all of your help.

    --Aaron
     

    Attached Files:

    gamecock, Feb 23, 2015
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'll try to keep you moving along while Kestrel13! is offline.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8877;https=127.0.0.1:8877
    O4 - HKLM\..\Run: [autoauto] 44613242.bat
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    After clicking Fix, exit HJT.


    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
C:\a\getcap.exe
C:\a\wcheckf.exe
C:\a\internetport3.exe
C:\a\wincheckfe.exe
C:\a\wincheckfe.exe
C:\a\Ni2CLy52slRvf2XAnPCJ.exe
C:\a
C:\windows\system32\44613242.bat
C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc\
C:\Users\Monolith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X65NQ3BT\bdcount[1].htm
C:\Users\Monolith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AB8AGQ6G\uniqueNi2CLy52slRvf2XAnPCJ[2].htm
C:\Users\Monolith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1CIQ863A\Ni2CLy52slRvf2XAnPCJ[1].exe
C:\Users\Monolith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1CIQ863A\Ni2CLy52slRvf2XAnPCJ[1].exe
C:\Users\Monolith\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1CIQ863A\Ni2CLy52slRvf2XAnPCJ[1].exe
C:\Users\Monolith\AppData\Local\yuntnani
C:\ProgramData\windows monitor\skskjbpjx.exe
C:\ProgramData\windows monitor
C:\ProgramData\PastaLeadsAgent
C:\Program Files (x86)\FastInternet
C:\Program Files\Common Files\system\SysMenu.dll
C:\Program Files\Common Files\system\SysMenu64.dll
C:\Windows\
C:\Users\Monolith\AppData\Local\Temp\*.*
C:\Users\Monolith\AppData\Local\Temp\*.*
 
:Reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Systemmonitor"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\AutorunsDisabled]
"Systemmonitor"=-
"Adobe Speed Launcher"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"autoauto"=-
"cutoauto"=-
"interpee"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"autoauto"=-
[HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\run\AutorunsDisabled]
"Systemmonitor"=-
[HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\runonce\AutorunsDisabled]
"Systemmonitor"=-
"Adobe Speed Launcher"=-
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\interpee]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cutoauto]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-21-2072126772-134042332-3065495538-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.
    Now run a new scan with RogueKiller and attach the new log.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the RogueKillerlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 24, 2015
    #4
  5. gamecock

    gamecock Private E-2

    Most of the issues are now resolved!

    - I am not longer seeing the program internetport3.exe in my task manager.
    - If I go to google.com I no longer get the redirected page saying that "This Connection is Untrusted".

    I no longer get the same pop up video advertisement when I am in Firefox or Chrome. However, I am getting a new form of pop up advertisement. Now, I get a small window that appears on the right side of the screen with "Deals". If I hover over it it slides out and shows additional products for me to buy. The link at the bottom of the popup window says that they are being generated by a company called "Similar Products". This is a new issue and did not show up prior to today.

    I have attached the requested logs for you.

    Thanks again in advance for all of your help.

    --Aaron
     

    Attached Files:

    gamecock, Feb 24, 2015
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Which browsers does it show in? Tes all browsers that you have installed including Internet Explorer but only have one browser opened at anytime while testing.
     
    chaslang, Feb 25, 2015
    #6
  7. gamecock

    gamecock Private E-2

    I have Firefox, Chrome and Internet Explorer all installed on my computer. The popups are only showing up in Firefox. Even if I open multiple browsers at the same time, the popups only show up in Firefox.
     
    gamecock, Feb 25, 2015
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Feb 25, 2015
    #8
  9. gamecock

    gamecock Private E-2

    Yes resetting my Firefox browser solved the popup problems! It appears that all of my issues are now resolved!

    Is there a virus protection software that I should install to help keep this from happening in the future? Can I uninstall any of the programs that you had be install during this process?

    I GREATLY appreciate all of your help! This is the second time MG has helped me out.

    --Aaron
     
    gamecock, Feb 26, 2015
    #9
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    The proxy is still showing up, let's see what Chaslang says. I have been away from the computer for a couple days, I apologise.
     
    Kestrel13!, Feb 26, 2015
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run RogueKiller and run a scan. After it finishes the scan, select the Registry tab and then select any of the below that exist and then click the Delete button.

    Then immediately reboot your PC.

    After reboot, run a new scan with RogueKiller and save a log as in original instructions and attach the new log.



    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
netsvcs
drives
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
    I also see that you have OpenVPN Technologies running. Do you happen to know if it is making use of a proxy server?
     
    chaslang, Mar 1, 2015
    #11

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds