This persistent virus is still present and causing issues.
This persistent virus is still present and causing issues.
Have you used Malwarebytes? Also, examine any unexpected programs in Task Manager or within your browser extensions. Identify the source of the infection and inspect related files—possibly need to remove the .dll file.
What tools have you used so far? It would be useful to see what actions you've already taken. Run RogueKiller, scan the system. Avoid other programs and delay repairs until later. Log your findings. Let’s determine what it reveals. Re-scan with RogueKiller, remove the results. Use CCleaner then Malwarebytes. Never watch porn again – option two works best. They are very fast, professional, and helpful. https://forums.malwarebytes.org/
I ran it. twice. RogueKiller V10.1.2.0 [Jan 7 2015] by Adlice Software mail : http://www.adlice.com/contact/ Feedback : http://forum.adlice.com Website : http://www.adlice.com/softwares/roguekiller/ Blog : http://www.adlice.com Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version Started in : Normal mode User : Rainbow Dash [Administrator] Mode : Scan -- Date : 01/12/2015 19:43:20 ¤¤¤ Processes : 2 ¤¤¤ [suspicious.Path] rubyw.exe(4012) -- C:\Users\RAINBO~1\AppData\Local\Temp\ocr3B98.tmp\bin\rubyw.exe[-] -> Killed [TermProc] [suspicious.Path] rubyw.exe(4668) -- C:\Users\RAINBO~1\AppData\Local\Temp\ocr450A.tmp\bin\rubyw.exe[-] -> Killed [TermProc] ¤¤¤ Registry : 19 ¤¤¤ [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} -> Found [PUP] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run | Lightshot : C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe -> Found [PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-1492750765-291453404-947337075-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/ -> Found [PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-1492750765-291453404-947337075-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://google.com/ -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters | DhcpNameServer : 71.10.216.1 71.10.216.2 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters | DhcpNameServer : 71.10.216.1 71.10.216.2 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters | DhcpNameServer : 209.222.18.222 209.222.18.218 [uNITED STATES (US)][uNITED STATES (US)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{1B47F713-C75F-42D2-8D4D-C805F5293049} | DhcpNameServer : 71.10.216.1 71.10.216.2 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{913090E4-95F2-4D28-9256-CE254B7F4CFB} | DhcpNameServer : 209.222.18.222 209.222.18.218 [uNITED STATES (US)][uNITED STATES (US)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{1B47F713-C75F-42D2-8D4D-C805F5293049} | DhcpNameServer : 71.10.216.1 71.10.216.2 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{913090E4-95F2-4D28-9256-CE254B7F4CFB} | DhcpNameServer : 209.222.18.222 209.222.18.218 [uNITED STATES (US)][uNITED STATES (US)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{1B47F713-C75F-42D2-8D4D-C805F5293049} | DhcpNameServer : 71.10.216.1 71.10.216.2 [(Unknown Country?) (XX)][(Unknown Country?) (XX)] -> Found [PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{913090E4-95F2-4D28-9256-CE254B7F4CFB} | DhcpNameServer : 209.222.18.222 209.222.18.218 [uNITED STATES (US)][uNITED STATES (US)] -> Found [PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 0 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found [PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 1 -> Found ¤¤¤ Tasks : 3 ¤¤¤ [suspicious.Path] \\{51573B44-5A22-47E8-8075-B7B590E7DF6D } -- C:\Users\Rainbow Dash\Desktop\math-blaster-plus\MATH.EXE -> Found [suspicious.Path] \\{89C3A527-8A7E-4A43-81B7-4C0A59533EEF } -- C:\Users\Rainbow Dash\Desktop\math-blaster-plus\MATH.EXE -> Found [suspicious.Path] \\{F55E634F-FCAC-4342-8F3A-DC890C3CC877 } -- C:\Users\Rainbow Dash\Desktop\math-blaster-plus\MATH.EXE -> Found ¤¤¤ Files : 0 ¤¤¤ ¤¤¤ Hosts File : 0 [Too big!] ¤¤¤ ¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤ ¤¤¤ Web browsers : 3 ¤¤¤ [PUM.Proxy][FIREFX:Config] d8n6mowa.default : user_pref("network.proxy.http", "117.59.217.237"); -> Found [PUM.Proxy][FIREFX:Config] d8n6mowa.default : user_pref("network.proxy.http_port", 83); -> Found [PUM.HomePage][FIREFX:Config] d8n6mowa.default : user_pref("browser.startup.homepage", "google.com"); -> Found ¤¤¤ MBR Check : ¤¤¤ +++++ PhysicalDrive0: Samsung SSD 840 EVO 1TB ATA Device +++++ --- User --- [MBR] 6122b40c897c0a4c2c830bb4b91d1e02 [bSP] 3949ab589481a283eae0389ecee2e030 : Windows Vista/7/8 MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 953867 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive1: ST3000DM001-1E6166 ATA Device +++++ --- User --- [MBR] 9c5f5da6f9fbb8c773e484ccc6aef2e3 [bSP] f624f8859ff4c323aa6680861adba390 : Empty MBR Code Partition table: 0 - [XXXXXX] UNKNOWN (0x0) [VISIBLE] Offset (sectors): 1 | Size: 2097151 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive2: KINGSTON SV300S37A240G ATA Device +++++ --- User --- [MBR] a31c30fb6e3ad9989414fa116bc30ed1 [bSP] b0f6a45d0de101cc55be18b7e004dbac : Windows Vista/7/8 MBR Code Partition table: 0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 228934 MB User = LL1 ... OK User = LL2 ... OK +++++ PhysicalDrive3: Generic STORAGE DEVICE USB Device +++++ --- User --- [MBR] 0be0161707b60ff4e8097dca7db0aebc [bSP] df4f83c1f72e36823a12b0dfc7617313 : Empty MBR Code Partition table: 0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 32768 | Size: 63984 MB User = LL1 ... OK Error reading LL2 MBR! ([32] The request is not supported. )