DNS Locker Removal

Customer

• June 11, 2021 12:21

I am having a hard time removing dnslocker ads from my computer. I've run the adwcleaner and a lot of things were removed, but the dnslocker is still there. I need help, please.

FRST.txt

Addition.txt

0

• 

  Support

  • June 11, 2021 12:21

  
  

  Hi doodlynn,

   

  1. Please disconnect external hard disks, specially I:, since some programs might start to scan them and then it would take very long time.

   

  2. DNS server configuration points to malware DNS for one of the network interfaces:

  Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
  instead of what other interfaces use:

  Tcpip\..\Interfaces\{C044EEAB-88F7-4504-8FF4-BF6C8F8F2D77}: [DhcpNameServer] 75.75.76.76 75.75.75.75

   

  That needs to be changed, but to be able to do that it's necessary that the computer is clean and I see some adware/malware in the logs.
  

  3. Please, scan with the latest version of AdwCleaner and paste the result into your reply.

   

  4. Have you or the adware restricted what is possible to do with Google Chrome?

   

   

  5. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
  To shorten the scanning time disable your antivirus program while scanning.
  
  Select Enable detection of potentially unwanted applications.
  Click Advanced Settings.
  
  Deselect Remove found threats.
  
  Select:
  Scan Archives
  Scan for potentially unsafe applications
  Enable Anti-Stealth Technology
  
  Click Start.
  
  When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

  0
• 

  Customer

  • June 11, 2021 12:21

  
  

  ESET output:

   

  C:\AdwCleaner\Quarantine\C\Program Files (x86)\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\ProgramData\Ask\APN-Stub\MYC-ST\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\ProgramData\null\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\ProgramData\null\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\ProgramData\null\Q.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\j9U0z@z.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\mCk7P@FbHAe.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\goblmaagcgfbjlaahdohiomenekdpnci\147\e2.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\ub.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\j9U0z@z.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
  C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\mCk7P@FbHAe.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
  C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
  C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
  C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
  C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
  C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
  C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\uninstall.exe a variant of Win32/Toolbar.Visicom.E potentially unwanted application deleted - quarantined
  C:\Program Files (x86)\Superficial Supermarket\137481eb.ftf.ftf a variant of Python/Mamba.G trojan cleaned by deleting - quarantined
  C:\Users\Doodlynn\AppData\Local\Temp\35320b99\406040.ftf multiple threats cleaned by deleting - quarantined
  C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3I4O8P15\update30701003[1].zip a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
  C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UD9FP2H6\SearchProtectGeneric2[1].exe Win32/OutBrowse.Q potentially unwanted application deleted - quarantined
  C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\711CBB1C6CEDCA636BD935BDBADB13D8AA3FF6D1 HTML/ScrInject.B.Gen virus deleted - quarantined
  C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\AD5706430A8D21A19A090B140FFA80BCE71E9648 HTML/Iframe.B.Gen virus deleted - quarantined
  C:\Users\Robert\AppData\Local\Temp\AAWInstallerTemp\v9.6.0\Ad-Aware.msi a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
  C:\Users\Robert\Downloads\ManyCamSetup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined
  

  0
• 

  Customer

  • June 11, 2021 12:21

  
  

  # AdwCleaner v5.009 - Logfile created 30/09/2015 at 00:45:01
  # Updated 27/09/2015 by Xplode
  # Database : 2015-09-27.1 [server]
  # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
  # Username : Doodlynn - ROBERT-PC
  # Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
  # Option : Scan
  # Support : http://toolslib.net/forum

  ***** [ Services ] *****

  ***** [ Folders ] *****

  Folder Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmkckgpgekmanipelfidlhmkfcjicion

  ***** [ Files ] *****

  File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
  File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage
  File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage-journal
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
  File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage

  ***** [ Shortcuts ] *****

  ***** [ Scheduled tasks ] *****

  Task Found : Adobe Flash Player Updater

  ***** [ Registry ] *****

  Key Found : HKCU\Software\AppDataLow\Software\adawarebp
  Key Found : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

  ***** [ Web browsers ] *****

  [C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : ogminpmldncgcmokldnmmapddoccmhfl
  [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : bmkckgpgekmanipelfidlhmkfcjicion

  ########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [2453 bytes] ##########

  0
• 

  Support

  • June 11, 2021 12:21

  
  

  1. Have you or the adware restricted what is possible to do with Google Chrome?

   

   

  2. Please, turn off all programs, including browsers.
  Double-click on AdwCleaner to start the program.
  
  Click on the Scan button.
  Wait until the search has finished.
  
  Click on the Clean button.
  
  Click on OK.
  Click on OK on any message that pops up.
  The computer will be restarted.
  
  A report will be displayed, copy its content and paste into your reply.
  If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt
  

   

  3. Start FRST program, please.

  Selectect Addition.txt and the let the program scan the computer.

  Please, attach the two new log files.

  0
• 

  Customer

  • June 11, 2021 12:21

  
  

  I've reset the settings in Chrome. There are no plugins. I will most likely uninstall as it seems to be too problematic.

   

  # AdwCleaner v5.009 - Logfile created 30/09/2015 at 20:54:39
  # Updated 27/09/2015 by Xplode
  # Database : 2015-09-30.1 [server]
  # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
  # Username : Doodlynn - ROBERT-PC
  # Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
  # Option : Cleaning
  # Support : http://toolslib.net/forum

  ***** [ Services ] *****

  ***** [ Folders ] *****

  ***** [ Files ] *****

  ***** [ Shortcuts ] *****

  ***** [ Scheduled tasks ] *****

  ***** [ Registry ] *****

  [-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
  [!] Key Not Deleted : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

  ***** [ Web browsers ] *****

  [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
  [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com
  [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bmkckgpgekmanipelfidlhmkfcjicion

  *************************

  :: Winsock settings cleared

  ########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [1187 bytes] ##########

  Addition.txt

  FRST.txt

  0
• 

  Customer

  • June 11, 2021 12:21

  
  

  Fix result of Farbar Recovery Scan Tool (x64) Version:30-09-2015
  Ran by Doodlynn (2015-10-01 11:51:35) Run:2
  Running from C:\Users\Doodlynn\Desktop
  Loaded Profiles: Doodlynn (Available Profiles: Robert & Doodlynn & KesoSchoolWork)
  Boot Mode: Normal
  ==============================================

  fixlist content:
  *****************
  CreateRestorePoint:
  CloseProcesses:
  HKLM\...\Run: [] => [X]
  HKLM-x32\...\Run: [] => [X]
  AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
  ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
  ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
  ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
  ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
  ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
  ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
  ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
  CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
  Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
  SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
  SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL =
  FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
  FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
  CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
  CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
  CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
  CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
  S2 SessionLauncher; no ImagePath
  R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
  Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe
  Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
  Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe
  AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
  Folder: C:\Program Files (x86)\Superficial Supermarket
  CMD: ipconfig /flushdns
  CMD: netsh winsock reset catalog
  CMD: netsh int ip reset c:\resetlog.txt
  Reboot:
  *****************

  Restore point was successfully created.
  Processes closed successfully.
  HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
  HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
  "C:\PROGRA~2\GS_X64~1.ENA" => Value data removed successfully.
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
  HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
  HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
  HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1"" => key removed successfully
  "HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2"" => key removed successfully
  "HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3"" => key removed successfully
  "HKCR\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4"" => key removed successfully
  "HKCR\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5"" => key removed successfully
  "HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6"" => key removed successfully
  "HKCR\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7"" => key removed successfully
  "HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8"" => key removed successfully
  "HKCR\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
  "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
  HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
  "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
  HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
  "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
  HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
  C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe => not found.
  "HKLM\SOFTWARE\Policies\Google" => key removed successfully
  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}\\NameServer => value removed successfully
  "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
  HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
  "HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{48B4BD82-36C2-41BF-8CBA-64C46655DA74}" => key removed successfully
  HKCR\CLSID\{48B4BD82-36C2-41BF-8CBA-64C46655DA74} => key not found.
  "HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
  "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
  "HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\bmkckgpgekmanipelfidlhmkfcjicion" => key removed successfully
  "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cgiaikfpllchefojlnehlmpekeogihnm" => key removed successfully
  C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx => moved successfully
  "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj" => key removed successfully
  "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol" => key removed successfully
  SessionLauncher => service removed successfully
  gfibto => Service stopped successfully.
  gfibto => service removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
  C:\Windows\System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => moved successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444}" => key removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
  C:\Windows\System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => moved successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A4AD6685-E712-418A-8F39-F29428BEB46C}" => key removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
  C:\Windows\System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => moved successfully
  "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{57254D63-0CAE-4F1D-AF76-A061B3AA0929}" => key removed successfully
  "C:\Users\Doodlynn\Desktop\FRST64.exe" => ":BDU" ADS not found.
  C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe => ":BDU" ADS removed successfully.
  C:\Users\Doodlynn\Downloads\setup.exe => ":BDU" ADS removed successfully.
  C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe => ":BDU" ADS removed successfully.

  ========================= Folder: C:\Program Files (x86)\Superficial Supermarket ========================

  ====== End of Folder: ======

  ========= ipconfig /flushdns =========

  Windows IP Configuration

  Successfully flushed the DNS Resolver Cache.

  ========= End of CMD: =========

  ========= netsh winsock reset catalog =========

  Sucessfully reset the Winsock Catalog.
  You must restart the computer in order to complete the reset.

  ========= End of CMD: =========

  ========= netsh int ip reset c:\resetlog.txt =========

  Reseting Global, OK!
  Reseting Interface, OK!
  Reseting Route, OK!
  Restart the computer to complete this action.

  ========= End of CMD: =========

   

  The system needed a reboot..

  ==== End of Fixlog 11:52:30 ====

  0
• 

  Support

  • June 11, 2021 12:21

  
  

  1. There are several web sites in the trusted zone in Internet Explorer settings. Those web sites usually are permitted to do a lot of things in the computer and that can be dangerous if they are hacked or have a malicious ad. I recommend that you check the list and remove as many as possible of them.

   

   

  2. Please, start Notepad.

  Copy all text that is in the box:

  
  
  CreateRestorePoint:
  
  CloseProcesses:
  
  HKLM\...\Run: [] => [X]
  
  HKLM-x32\...\Run: [] => [X]
  
  AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
  
  ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
  
  ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
  
  ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
  
  ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} =>  No File
  
  ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} =>  No File
  
  ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} =>  No File
  
  ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
  
  CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
  
  Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
  
  SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
  
  SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL = 
  
  FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
  
  FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
  
  CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
  
  CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
  
  CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
  
  CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
  
  S2 SessionLauncher; no ImagePath
  
  R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
  
  Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe 
  
  Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
  
  Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe 
  
  AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
  
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
  
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
  
  AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
  
  Folder: C:\Program Files (x86)\Superficial Supermarket
  
  CMD: ipconfig /flushdns
  
  CMD: netsh winsock reset catalog
  
  CMD: netsh int ip reset c:\resetlog.txt
  
  Reboot:
  
  

  and paste in Notepad. Check that no files have been split on two lines.

  Save the file as fixlist.txt on the desktop.

   

  Exit all programs.

  Start FRST, please.

  Click the Fix button.

  Wait until the tool has finished and the computer is restarted.

   

  It creates a log file, called Fixlog.txt, on the desktop.

  Please, paste the content of that file in your reply.

  0
• 

  Support

  • June 11, 2021 12:21

  Due to lack of feedback, this topic has been closed.
  
  
  If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
  
  
  Everyone else please begin a New Topic.
  
  
  Thank You !

  0
• 

  Support

  • June 11, 2021 12:21

  
  

  Do you still have dnslocker ads?

  
  If yes, please run FRST again and attach the two new logs.

  0

Please sign in to leave a comment.