Virus Check And Removal Help

Re run Hitman Pro, activate the free trial and have it remove all that it finds.

Give Malware Bytes another run, and see if it finds anything else to remove.

Are you deliberately set up to use a proxy?

 

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

• [PUP] (X64) HKEY_LOCAL_MACHINE\Software\SpaceSoundPro -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\RayDld -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\SpaceSondPro -> Found
• [PUP] (X86) HKEY_LOCAL_MACHINE\Software\WNetEnhancer -> Found
• [Suspicious.Path|VT.Unknown] (X64) HKEY_USERS\S-1-5-21-3981652400-9973827-3825591498-1001\Software\Microsoft\Windows\CurrentVersion\Run | Bubble Dock : "C:\Users\Falconking\AppData\Roaming\Nosibay\Bubble Dock\LBubble Dock.exe" /winstartup [7][x] -> Found
• [Suspicious.Path] (X64) HKEY_USERS\S-1-5-21-3981652400-9973827-3825591498-1001\Software\Microsoft\Windows\CurrentVersion\Run | WindApp : "C:\Users\Falconking\AppData\Roaming\Store\WindApp\WindApp.exe" /winstartup [x][x] -> Found
• [PUP] (X64) HKEY_USERS\S-1-5-21-3981652400-9973827-3825591498-1001\Software\Microsoft\Windows\CurrentVersion\Run | Selection Tools : "C:\Users\Falconking\AppData\Roaming\WTools\Selection Tools\Selection Tools.exe" /winstartup [x][x] -> Found
• [Suspicious.Path] (X86) HKEY_USERS\S-1-5-21-3981652400-9973827-3825591498-1001\Software\Microsoft\Windows\CurrentVersion\Run | WindApp : "C:\Users\Falconking\AppData\Roaming\Store\WindApp\WindApp.exe" /winstartup [x][x] -> Found
• [PUP] (X86) HKEY_USERS\S-1-5-21-3981652400-9973827-3825591498-1001\Software\Microsoft\Windows\CurrentVersion\Run | Selection Tools : "C:\Users\Falconking\AppData\Roaming\WTools\Selection Tools\Selection Tools.exe" /winstartup [x][x] -> Found
• [VT.Unknown] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | IOPROTECT : C:\Program Files (x86)\SpaceSondPro_v97.10168\ioproduct_service.bat [-] -> Found
• [Suspicious.Path|VT.Unknown] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 202077892 : C:\ProgramData\msovcx.exe [-] -> Found
• [Suspicious.Path|VT.Unknown] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | 202077892 : C:\ProgramData\msovcx.exe [-] -> Found
• [PUP|VT.PUP/Win32.ConvertAd] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\lyqocidy (C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F\jnsq40B3.tmp) -> Found
• [PUP|VT.Unknown] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\qihuzoki (C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F\knsu262F.tmpfs) -> Found
• [PUP|VT.Gen:Variant.Adware.ConvertAd.33] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\qopyduzo (C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F\hnsh5D36.tmp) -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WNetEnhancer Service (C:\Program Files (x86)\WNetEnhancer\WNetEnhancer Internet Enhancer\e1e84a57c0d2755077892a8baa837c12.exe) -> Found
• [PUP|VT.PUP/Win32.ConvertAd] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lyqocidy (C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F\jnsq40B3.tmp) -> Found
• [PUP|VT.Gen:Variant.Adware.ConvertAd.33] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\qopyduzo (C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F\hnsh5D36.tmp) -> Found
• [PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WNetEnhancer Service (C:\Program Files (x86)\WNetEnhancer\WNetEnhancer Internet Enhancer\e1e84a57c0d2755077892a8baa837c12.exe) -> Found
• [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyEnable : 1 -> Found
• [PUM.Proxy] (X64) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:63127;https=127.0.0.1:63127 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:63127;https=127.0.0.1:63127 -> Found
• [PUM.Proxy] (X64) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:63127;https=127.0.0.1:63127 -> Found
• [PUM.Proxy] (X86) HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings | ProxyServer : http=127.0.0.1:63127;https=127.0.0.1:63127 -> Found
• [PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&....0.7859&pid=414031160&tid=310&q={searchTerms} -> Found
• [PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Search Page : http://search.searchult.com/?bd=ds&....0.7859&pid=414031160&tid=310&q={searchTerms} -> Found
• [PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : http://search.searchult.com/?bd=ds&....0.7859&pid=414031160&tid=310&q={searchTerms} -> Found
• [PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Search_URL : http://search.searchult.com/?bd=ds&....0.7859&pid=414031160&tid=310&q={searchTerms} -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.

...and the same for these items on the file/folder tab please...

• [Hidden.ADS][[[ADS]]] C:\Windows:nlsPreferences -> Found
• [PUP][Folder] C:\Users\Falconking\AppData\Roaming\WTools -> Found
• [Hidden.ADS][[[ADS]]] C:\Users\Falconking\AppData\Local:sdG3IiZbtLubpBF46NSktVIlN0 -> Found
• [PUP][Folder] C:\ProgramData\{70E22094-D034-40C3-89F7-AA970A0C0232} -> Found
• [PUP][Folder] C:\ProgramData\{C2A88E6D-FA3D-462B-BDFF-A09B1EFA8FBE} -> Found
• [PUP][Folder] C:\ProgramData\{C78336EC-F2EB-4640-99A4-DFE96581B90B} -> Found
• [PUP][Folder] C:\Program Files\SpaceSoundPro -> Found
• [PUP][Folder] C:\Program Files (x86)\DD813D1D-1449030546-8F25-9180-00235435028F -> Found
• [PUP][Folder] C:\Program Files (x86)\DD813D1D-1449031608-8F25-9180-00235435028F -> Found
• [PUP][Folder] C:\Program Files (x86)\RayDld -> Found
• [PUP][Folder] C:\Program Files (x86)\SpaceSondPro -> Found
• [PUP][Folder] C:\Program Files (x86)\Wajam -> Found
• [PUP][Folder] C:\Program Files (x86)\WNetEnhancer -> Found

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.


Now re run RogueKiller again (just a scan only) and attach log.


Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

FYI for Kestrel13!: angel frost is changing things on this PC. That is doing things not requested. Now both Baidu Antivirus and AVG are installed!!!!

 

Yes I just noticed this!! angel frost, you need to uninstall either Baidu or AVG right now before we continue on with other instructions.

 

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
Download Fixlist.txt

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.
Also at this point, I want to double check the status of things by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.


Now re run RogueKiller (just a scan) and attach that log too please.

 

Don't forget the FRST.txt from running a fresh scan as mentioned above. Also attach the fresh RogueKiller log please.

 

There are still remnants of Baidu according to the latest logs. We will deal with this afterwards....

 

Got the new RogueKiller log, too? : - ) Once I have that I can work out a further fix.

 

NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
Download Fixlist.txt which will get rid of any remnants of Baidu anti virus.

Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• 
  
  
  • You should now have both fixlist.txt and FRST64.exe on your Desktop.
  
  
  • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
  
  
  • Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
  
  
  • Click the Fix button just once and wait.
  
  
  • Your computer should reboot after the fix runs.
  
  
  • Reconnect your internet connection after reboot so you can come back here to continue.
  
  
  • The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)
    
    
    Then attach the below logs:
    • 
      
    • Fixlog.txt
      
      
      
      Fix item using RogueKiller.
      
      Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
      When it opens, press the Scan button
      Now click the Registry tab and locate this detection:
      
      • [PUP] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\BaiduAntivirusIconLock | (default) : {0A93904A-BB1E-4a0c-9753-B57B9AE272CC} (C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavShx64.dll) -> Found
      
      Place a checkmark next to this item, leave the others unchecked.
      Now press the Delete button.
      
      ...and the same for these entries on the tasks tab:
      
      • [Suspicious.Path] \Web Logo -- C:\Windows\system32\rundll32.exe ("C:\Users\Falconking\AppData\Local\Web Logo\{410BC0F8-2544-C69D-34F9-63AD59E3C82B}\WebLogo.dll",#1) -> Found
        
      • [Suspicious.Path] \Web Logo2 -- C:\Windows\system32\rundll32.exe ("C:\Users\Falconking\AppData\Local\Web Logo\{410BC0F8-2544-C69D-34F9-63AD59E3C82B}\vcxtow.dll",#1) -> Found
      
      When it is finished, there will be a log on your desktop called: RKreport[2].txt
      Attach RKreport[2].txt to your next message. (How to attach)
      Reboot the machine.
      
      
      http://imageshack.us/a/img841/7292/thisisujrt.gif Please download Junkware Removal Tool to your desktop.
      • 
        
      • Shut down your protection software now to avoid potential conflicts.
        
      • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
        
      • The tool will open and start scanning your system.
        
      • Please be patient as this can take a while to complete depending on your system's specifications.
        
      • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
        
      • Attach JRT.txt to your next message.

Re run RogueKiller once more and attach log from new scan.

 

OK, looking good.

• Please re run Hitman Pro, let it scan, and attach log once done.
  
• Explain how things are running at this point.

 

Try this and let me know how you get on.

Reset Google Chrome to defaults