Hugene fix

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Processes - Safe List]
YY -> svchost.exe -> C:\Windows\update.1\svchost.exe
[Registry - Safe List]
< FireFox Extensions [Program Folders] > -> 
YY -> ClickPotatoLite Component -> C:\PROGRAM FILES (X86)\CLICKPOTATOLITE\BIN\10.0.668.0\FIREFOX\EXTENSIONS
YY -> cacaoweb -> C:\USERS\HUGENE\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\D6H71Q8R.DEFAULT\EXTENSIONS\CACAOWEB@CACAOWEB.ORG
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {02478D38-C3F9-4efb-9B51-7695ECA05670} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> {258C9770-1713-4021-8D7E-1F184A2BD754} [HKLM] -> [ShoppingReport2]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2517038744-3281405084-810221206-1000\] > -> HKEY_USERS\S-1-5-21-2517038744-3281405084-810221206-1000\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{21FA44EF-376D-4D53-9B0F-8A89D3229068}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "tray_ico" -> []
YY -> "tray_ico0" -> C:\Windows\update.tray-7-0\svchost.exe [C:\Windows\update.tray-7-0\svchost.exe]
YN -> "tray_ico1" -> []
YN -> "tray_ico2" -> []
YN -> "tray_ico3" -> []
YN -> "tray_ico4" -> []
YY -> "wxpdrv" -> C:\Windows\services32.exe [C:\Windows\services32.exe]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {B58926D6-CFB0-45d2-9C28-4B5A0F0368AE}:{7A3D6D17-9DD5-4C60-8076-D1784DABAF8C} [HKLM] -> [Button: ClickPotato]
YN -> {DB38E21A-0133-419d-92AD-ECDFD5244D6D}:{3E2DFD6A-4E20-4d4c-AA8B-E1F9DBEF3C80} [HKLM] -> [Button: ShopperReports - Compare product prices]
YN -> {EB620C54-E229-4942-87CE-E717109FC8C6}:{714E0876-FCEE-49ce-A429-B9AD8AEFCB56} [HKLM] -> [Button: ShopperReports - Compare travel rates]
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
YN -> "AlternateShell" -> services32.exe
[Files/Folders - Created Within 30 Days]
NY ->  av_ico -> C:\Windows\av_ico
NY ->  update.tray-7-0-lnk -> C:\Windows\update.tray-7-0-lnk
NY ->  update.tray-7-0 -> C:\Windows\update.tray-7-0
NY ->  {E68DEF08-A0C1-4393-8FF0-64CC9424759A} -> C:\Users\Hugene\AppData\Local\{E68DEF08-A0C1-4393-8FF0-64CC9424759A}
NY ->  {806FFDF5-BA2E-4CA3-A03B-8EB3FCAFE7FD} -> C:\Users\Hugene\AppData\Local\{806FFDF5-BA2E-4CA3-A03B-8EB3FCAFE7FD}
NY ->  {BCEDF458-9CC8-4072-A84D-067A23974127} -> C:\Users\Hugene\AppData\Local\{BCEDF458-9CC8-4072-A84D-067A23974127}
NY ->  {CEC449F1-C6A0-4583-B3C1-67A5B7B850BB} -> C:\Users\Hugene\AppData\Local\{CEC449F1-C6A0-4583-B3C1-67A5B7B850BB}
NY ->  {500D8C58-5C38-4D19-8464-5C44C6AFC17D} -> C:\Users\Hugene\AppData\Local\{500D8C58-5C38-4D19-8464-5C44C6AFC17D}
NY ->  {CD2A02D4-1CBA-4956-BEF8-E4E7367D2C50} -> C:\Users\Hugene\AppData\Local\{CD2A02D4-1CBA-4956-BEF8-E4E7367D2C50}
NY ->  {9936B6F3-F771-4521-9D72-DEC6A2A461FC} -> C:\Users\Hugene\AppData\Local\{9936B6F3-F771-4521-9D72-DEC6A2A461FC}
NY ->  {64D67BCE-0166-48F0-AD74-3E34CD011788} -> C:\Users\Hugene\AppData\Local\{64D67BCE-0166-48F0-AD74-3E34CD011788}
NY ->  {A39F8A9F-96EC-4181-AF4B-B06838F8AF54} -> C:\Users\Hugene\AppData\Local\{A39F8A9F-96EC-4181-AF4B-B06838F8AF54}
NY ->  {3038FE97-FEC0-4384-AE3F-FA640327C8A5} -> C:\Users\Hugene\AppData\Local\{3038FE97-FEC0-4384-AE3F-FA640327C8A5}
NY ->  {8BDB0D15-4CB3-4DFB-9CD6-032AA25EED74} -> C:\Users\Hugene\AppData\Local\{8BDB0D15-4CB3-4DFB-9CD6-032AA25EED74}
NY ->  {905689B7-4ABA-4479-9BF8-A2B36C2CE948} -> C:\Users\Hugene\AppData\Local\{905689B7-4ABA-4479-9BF8-A2B36C2CE948}
NY ->  {28273214-0979-4530-8DD5-DFFC51386563} -> C:\Users\Hugene\AppData\Local\{28273214-0979-4530-8DD5-DFFC51386563}
NY ->  {3AB9CA84-F75E-4E06-ABC9-25E3986F0B49} -> C:\Users\Hugene\AppData\Local\{3AB9CA84-F75E-4E06-ABC9-25E3986F0B49}
NY ->  {17DDCF70-2822-4A5B-B81F-EF094A859584} -> C:\Users\Hugene\AppData\Local\{17DDCF70-2822-4A5B-B81F-EF094A859584}
NY ->  {6E12370D-9DA1-4316-95E5-2764BC0AD20B} -> C:\Users\Hugene\AppData\Local\{6E12370D-9DA1-4316-95E5-2764BC0AD20B}
NY ->  {FF1ECC46-B1A9-4B9A-824F-97998B3BF400} -> C:\Users\Hugene\AppData\Local\{FF1ECC46-B1A9-4B9A-824F-97998B3BF400}
[Files/Folders - Modified Within 30 Days]
NY ->  cacaoweb.exe -> C:\Users\Hugene\Desktop\cacaoweb.exe
[Files - No Company Name]
NY ->  services32.exe -> C:\Windows\services32.exe
[File - Lop Check]
NY ->  cacaoweb -> C:\Users\Hugene\AppData\Roaming\cacaoweb
NY ->  ClickPotatoLite -> C:\Users\Hugene\AppData\Roaming\ClickPotatoLite
[Custom Scans]
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.1\svchost.exe
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0\svchost.exe
YY ->  svchost.exe : MD5=7A3BC4D258CBE30DFB0649EE863FAE25 -> C:\Windows\update.tray-7-0-lnk\svchost.exe
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

This is the notepad document link in mediafire:

http://www.mediafire.com/?f0hjpfvr0jq19f7

Thanks for the help

What would be my next step?

Unfortunately that next step is analysing the resultant log file and requires someone with knowledge of OTS. Right now it is 1:30am in the UK so essexboy will be in bed and not back un the forums until tomorrow after work.

From my very limited knowledge, it looks like it has removed much of what essexboy’s fix was hunting. Some however require a reboot to be removed, so if you haven’t rebooted you will need to do that.

If you have rebooted, are you still experiencing any problems ?

Everything seems to be in order but I want to be sure. I can log into facebook again and I need to re-install Avast, which I will. I just want to be sure if this virus is completely terminated and if there is anything else that must be done to ensure that.

Thank you so much for the help. :slight_smile:

Essexboy should be on-line in a couple of hours and should be able to confirm; being symptom free is a good start.

OK a final sweep for orphans - and then lets see if the system is running OK - remember only update flash from the Adobe website

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

This is the mbam log:

http://www.mediafire.com/?fwldwti65976sjz

Essexboy will still be at work for a few more hours before being able to get on to the forums.

It looks like MBAM has cleaned out some adware (shopperreports/clickpotato) and orphans plus some firefox extensions. The report doesn’t say what firefox version you are using (?), but you should ensure that you have the latest version.

There is no need to send all logs to mediafire, only those which are over 200KB that can’t be attached to your post (saves you time).

Yep I did remove some of the click potato but MBAM looks deeper than me ;D

Do you have any further problems ?

No more problems. Everything seems to be in order.

Thank you so much Essexboy and DavidR for all your help.

You’re welcome, essexboy will be in the land of nod now, 00:05am in the UK now. He is likely to be back on-line around the same time he was in his last posts.

Generally he would ask you to monitor it for a day or so and if no problems get back on the forums and he will remove his tools and probably give some general advice for you to follow.

OK let me know if all is OK tomorrow and we will tidy you up ;D

Yip, all is ok

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

 
[Unregister Dlls]
[Custom Items]
:Files
ipconfig /flushdns /c
:end
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]

Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup an select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: