Skip to main content

DNS Locker Removal

Comments

9 comments

  • Support

    Hi doodlynn,

     

    1. Please disconnect external hard disks, specially I:, since some programs might start to scan them and then it would take very long time.

     

    2. DNS server configuration points to malware DNS for one of the network interfaces:

    Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
    instead of what other interfaces use:

    Tcpip\..\Interfaces\{C044EEAB-88F7-4504-8FF4-BF6C8F8F2D77}: [DhcpNameServer] 75.75.76.76 75.75.75.75

     

    That needs to be changed, but to be able to do that it's necessary that the computer is clean and I see some adware/malware in the logs.

    3. Please, scan with the latest version of AdwCleaner and paste the result into your reply.

     

    4. Have you or the adware restricted what is possible to do with Google Chrome?

     

     

    5. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
    To shorten the scanning time disable your antivirus program while scanning.

    Select Enable detection of potentially unwanted applications.
    Click Advanced Settings.

    Deselect Remove found threats.

    Select:
    Scan Archives
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

    Click Start.

    When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

    0
  • Customer

    ESET output:

     

    C:\AdwCleaner\Quarantine\C\Program Files (x86)\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\ProgramData\Ask\APN-Stub\MYC-ST\APNIC.dll.vir a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\ProgramData\null\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\ProgramData\null\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\ProgramData\null\Q.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\j9U0z@z.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Doodlynn\AppData\Roaming\Mozilla\Firefox\Profiles\xrzh6hr2.default\Extensions\mCk7P@FbHAe.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\goblmaagcgfbjlaahdohiomenekdpnci\147\e2.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\content.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\lsdb.js.vir JS/Adware.MultiPlug.B application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\null\207\ub.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawareDx.dll.vir a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\KesoSchoolWork\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\content.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\kuQj26WYLN.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Extensions\plpjogfhobhpdcmcblieglnoooccfcmm\219\lsdb.js.vir JS/Adware.MultiPlug.G application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\adawaretb.dll.vir a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\LocalLow\adawaretb\dtUser.exe.vir a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\j9U0z@z.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
    C:\AdwCleaner\Quarantine\C\Users\Robert\AppData\Roaming\Mozilla\Firefox\Profiles\88t3giwp.default\Extensions\mCk7P@FbHAe.com\content\bg.js.vir JS/Adware.MultiPlug.I application cleaned by deleting - quarantined
    C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
    C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application cleaned by deleting - quarantined
    C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawareDx.dll a variant of Win32/Toolbar.Visicom.B potentially unwanted application cleaned by deleting - quarantined
    C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\adawaretb.dll a variant of Win32/Toolbar.Visicom.A potentially unwanted application cleaned by deleting - quarantined
    C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\dtUser.exe a variant of Win32/Toolbar.Visicom.C potentially unwanted application cleaned by deleting - quarantined
    C:\Program Files (x86)\Lavasoft\AdAware SecureSearch Toolbar\uninstall.exe a variant of Win32/Toolbar.Visicom.E potentially unwanted application deleted - quarantined
    C:\Program Files (x86)\Superficial Supermarket\137481eb.ftf.ftf a variant of Python/Mamba.G trojan cleaned by deleting - quarantined
    C:\Users\Doodlynn\AppData\Local\Temp\35320b99\406040.ftf multiple threats cleaned by deleting - quarantined
    C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3I4O8P15\update30701003[1].zip a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
    C:\Users\Robert\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UD9FP2H6\SearchProtectGeneric2[1].exe Win32/OutBrowse.Q potentially unwanted application deleted - quarantined
    C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\711CBB1C6CEDCA636BD935BDBADB13D8AA3FF6D1 HTML/ScrInject.B.Gen virus deleted - quarantined
    C:\Users\Robert\AppData\Local\Mozilla\Firefox\Profiles\88t3giwp.default\cache2\entries\AD5706430A8D21A19A090B140FFA80BCE71E9648 HTML/Iframe.B.Gen virus deleted - quarantined
    C:\Users\Robert\AppData\Local\Temp\AAWInstallerTemp\v9.6.0\Ad-Aware.msi a variant of Win32/Toolbar.Visicom.A potentially unwanted application deleted - quarantined
    C:\Users\Robert\Downloads\ManyCamSetup.exe a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application deleted - quarantined

    0
  • Customer

    # AdwCleaner v5.009 - Logfile created 30/09/2015 at 00:45:01
    # Updated 27/09/2015 by Xplode
    # Database : 2015-09-27.1 [server]
    # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
    # Username : Doodlynn - ROBERT-PC
    # Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
    # Option : Scan
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****

    ***** [ Folders ] *****

    Folder Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Extensions\bmkckgpgekmanipelfidlhmkfcjicion

    ***** [ Files ] *****

    File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
    File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage
    File Found : C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_cdncache-a.akamaihd.net_0.localstorage-journal
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ogminpmldncgcmokldnmmapddoccmhfl_0.localstorage-journal
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\local storage\hxxp_www.metrolyrics.com_0.localstorage-journal
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
    File Found : C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage

    ***** [ Shortcuts ] *****

    ***** [ Scheduled tasks ] *****

    Task Found : Adobe Flash Player Updater

    ***** [ Registry ] *****

    Key Found : HKCU\Software\AppDataLow\Software\adawarebp
    Key Found : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

    ***** [ Web browsers ] *****

    [C:\Users\Robert\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : ogminpmldncgcmokldnmmapddoccmhfl
    [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : bmkckgpgekmanipelfidlhmkfcjicion

    ########## EOF - C:\AdwCleaner\AdwCleaner[s4].txt - [2453 bytes] ##########

    0
  • Support

    1. Have you or the adware restricted what is possible to do with Google Chrome?

     

     

    2. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Clean button.

    Click on OK.
    Click on OK on any message that pops up.
    The computer will be restarted.

    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

     

    3. Start FRST program, please.

    Selectect Addition.txt and the let the program scan the computer.

    Please, attach the two new log files.

    0
  • Customer

    I've reset the settings in Chrome. There are no plugins. I will most likely uninstall as it seems to be too problematic.

     

    # AdwCleaner v5.009 - Logfile created 30/09/2015 at 20:54:39
    # Updated 27/09/2015 by Xplode
    # Database : 2015-09-30.1 [server]
    # Operating system : Windows 7 Home Premium Service Pack 1 (x64)
    # Username : Doodlynn - ROBERT-PC
    # Running from : C:\Users\Doodlynn\Desktop\adwcleaner_5.009.exe
    # Option : Cleaning
    # Support : http://toolslib.net/forum

    ***** [ Services ] *****

    ***** [ Folders ] *****

    ***** [ Files ] *****

    ***** [ Shortcuts ] *****

    ***** [ Scheduled tasks ] *****

    ***** [ Registry ] *****

    [-] Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
    [!] Key Not Deleted : HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\Software\AppDataLow\Software\adawarebp

    ***** [ Web browsers ] *****

    [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : aol.com
    [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Web Data] [search Provider] Deleted : ask.com
    [-] [C:\Users\Doodlynn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Deleted : bmkckgpgekmanipelfidlhmkfcjicion

    *************************

    :: Winsock settings cleared

    ########## EOF - C:\AdwCleaner\AdwCleaner[C4].txt - [1187 bytes] ##########

    Addition.txt

    FRST.txt

    0
  • Customer

    Fix result of Farbar Recovery Scan Tool (x64) Version:30-09-2015
    Ran by Doodlynn (2015-10-01 11:51:35) Run:2
    Running from C:\Users\Doodlynn\Desktop
    Loaded Profiles: Doodlynn (Available Profiles: Robert & Doodlynn & KesoSchoolWork)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CreateRestorePoint:
    CloseProcesses:
    HKLM\...\Run: [] => [X]
    HKLM-x32\...\Run: [] => [X]
    AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL =
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
    S2 SessionLauncher; no ImagePath
    R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
    Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe
    Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
    Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe
    AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
    Folder: C:\Program Files (x86)\Superficial Supermarket
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    Reboot:
    *****************

    Restore point was successfully created.
    Processes closed successfully.
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
    HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
    "C:\PROGRA~2\GS_X64~1.ENA" => Value data removed successfully.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
    HKCR\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
    HKCR\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
    HKCR\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt1"" => key removed successfully
    "HKCR\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt2"" => key removed successfully
    "HKCR\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt3"" => key removed successfully
    "HKCR\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt4"" => key removed successfully
    "HKCR\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt5"" => key removed successfully
    "HKCR\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt6"" => key removed successfully
    "HKCR\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt7"" => key removed successfully
    "HKCR\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\"DropboxExt8"" => key removed successfully
    "HKCR\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}" => key removed successfully
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive1" => key removed successfully
    HKCR\Wow6432Node\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A} => key not found.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive2" => key removed successfully
    HKCR\Wow6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => key not found.
    "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\ SkyDrive3" => key removed successfully
    HKCR\Wow6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524} => key not found.
    C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe => not found.
    "HKLM\SOFTWARE\Policies\Google" => key removed successfully
    HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}\\NameServer => value removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
    HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
    "HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{48B4BD82-36C2-41BF-8CBA-64C46655DA74}" => key removed successfully
    HKCR\CLSID\{48B4BD82-36C2-41BF-8CBA-64C46655DA74} => key not found.
    "HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
    "HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
    "HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\bmkckgpgekmanipelfidlhmkfcjicion" => key removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\cgiaikfpllchefojlnehlmpekeogihnm" => key removed successfully
    C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx => moved successfully
    "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\efaidnbmnnnibpcajpcglclefindmkaj" => key removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gihfmmedoddijgnhkgfgnkeohkpbipol" => key removed successfully
    SessionLauncher => service removed successfully
    gfibto => Service stopped successfully.
    gfibto => service removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{256A209C-22C9-4A2F-95A6-81478B2EC388}" => key removed successfully
    C:\Windows\System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{8B1F44A7-2BF1-480D-957F-E3608BE03BB3}" => key removed successfully
    C:\Windows\System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{A4AD6685-E712-418A-8F39-F29428BEB46C}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AD338822-FECD-408B-A056-AAA01AF95E70}" => key removed successfully
    C:\Windows\System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{57254D63-0CAE-4F1D-AF76-A061B3AA0929}" => key removed successfully
    "C:\Users\Doodlynn\Desktop\FRST64.exe" => ":BDU" ADS not found.
    C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe => ":BDU" ADS removed successfully.
    C:\Users\Doodlynn\Downloads\setup.exe => ":BDU" ADS removed successfully.
    C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe => ":BDU" ADS removed successfully.

    ========================= Folder: C:\Program Files (x86)\Superficial Supermarket ========================

    ====== End of Folder: ======

    ========= ipconfig /flushdns =========

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    ========= End of CMD: =========

    ========= netsh winsock reset catalog =========

    Sucessfully reset the Winsock Catalog.
    You must restart the computer in order to complete the reset.

    ========= End of CMD: =========

    ========= netsh int ip reset c:\resetlog.txt =========

    Reseting Global, OK!
    Reseting Interface, OK!
    Reseting Route, OK!
    Restart the computer to complete this action.

    ========= End of CMD: =========

     

    The system needed a reboot..

    ==== End of Fixlog 11:52:30 ====

    0
  • Support

    1. There are several web sites in the trusted zone in Internet Explorer settings. Those web sites usually are permitted to do a lot of things in the computer and that can be dangerous if they are hacked or have a malicious ad. I recommend that you check the list and remove as many as possible of them.

     

     

    2. Please, start Notepad.

    Copy all text that is in the box:


    CreateRestorePoint:
    CloseProcesses:
    HKLM\...\Run: [] => [X]
    HKLM-x32\...\Run: [] => [X]
    AppInit_DLLs: C:\PROGRA~2\GS_X64~1.ENA => No File
    ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShellIconOverlayIdentifiers: ["DropboxExt1"] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt2"] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt3"] -> {FB314EDD-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt4"] -> {FB314EDE-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt5"] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt6"] -> {FB314EDF-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt7"] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers: ["DropboxExt8"] -> {FB314EE0-A251-47B7-93E1-CDD82E34AF8B} => C:\Users\Doodlynn\AppData\Roaming\Dropbox\bin\DropboxExt64.24.dll No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
    ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
    ShortcutTarget: Facebook Messenger.lnk -> C:\Users\Doodlynn\AppData\Local\Facebook\Messenger\2.1.4814.0\FacebookMessenger.exe (No File)
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    Tcpip\..\Interfaces\{B3327992-132A-4600-A887-157EBA50DA75}: [NameServer] 199.203.131.145,82.163.143.167
    SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-2956688714-3758072586-3574173577-1003 -> {48B4BD82-36C2-41BF-8CBA-64C46655DA74} URL =
    FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
    CHR HKU\S-1-5-21-2956688714-3758072586-3574173577-1003\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bmkckgpgekmanipelfidlhmkfcjicion] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [cgiaikfpllchefojlnehlmpekeogihnm] - C:\Users\Robert\AppData\Local\CRE\cgiaikfpllchefojlnehlmpekeogihnm.crx [2012-05-20]
    CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [gihfmmedoddijgnhkgfgnkeohkpbipol] - hxxps://clients2.google.com/service/update2/crx
    S2 SessionLauncher; no ImagePath
    R0 gfibto; C:\Windows\System32\drivers\gfibto.sys [14456 2013-04-04] (GFI Software)
    Task: {256A209C-22C9-4A2F-95A6-81478B2EC388} - System32\Tasks\{BF7DFC7A-66E1-463F-BD8B-3DBB4ECB3444} => Chrome.exe
    Task: {8B1F44A7-2BF1-480D-957F-E3608BE03BB3} - System32\Tasks\{A4AD6685-E712-418A-8F39-F29428BEB46C} => pcalua.exe -a C:\Users\Doodlynn\Downloads\Adaware_Installer.exe -d C:\Users\Doodlynn\Downloads
    Task: {AD338822-FECD-408B-A056-AAA01AF95E70} - System32\Tasks\{57254D63-0CAE-4F1D-AF76-A061B3AA0929} => Chrome.exe
    AlternateDataStreams: C:\Users\Doodlynn\Desktop\FRST64.exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\IE11-Windows6.1-x64-en-us (1).exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\setup.exe:BDU
    AlternateDataStreams: C:\Users\Doodlynn\Downloads\Windows-KB890830-x64-V5.25.exe:BDU
    Folder: C:\Program Files (x86)\Superficial Supermarket
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    Reboot:
    and paste in Notepad. Check that no files have been split on two lines.

    Save the file as fixlist.txt on the desktop.

     

    Exit all programs.

    Start FRST, please.

    Click the Fix button.

    Wait until the tool has finished and the computer is restarted.

     

    It creates a log file, called Fixlog.txt, on the desktop.

    Please, paste the content of that file in your reply.

    0
  • Support

    Due to lack of feedback, this topic has been closed.


    If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.


    Everyone else please begin a New Topic.


    Thank You !

    0
  • Support

    Do you still have dnslocker ads?


    If yes, please run FRST again and attach the two new logs.

    0

Please sign in to leave a comment.