Hi,

I have the problem that every 5 seconds, my WebShield pops up notfying me that it has blocked a harmful webpage or file from running. This file is called “http://blablablaoldtraff.in/index.php” the infection type is URL:Mal and the affected process is “C:\Windows\explorer.exe” Not sure where to turn, I have tried MalwareBytes and multiple boot-time scans, these popups are starting to make my computer impossible and unbearable to use. I have tried zoek, but it did not work. Below is my log file. Your assistance will be appreciated.

Regards

Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by patrick on 2015/05/11 at 12:32:06.18.
Microsoft Windows 7 Home Basic 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\patrick\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

2015/05/11 12:34:43 PM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\DC-Unlocker deleted successfully
C:\PROGRA~2\LMSOFT deleted successfully
C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\PROGRA~2\COMMON~1\PDF Architect deleted successfully
C:\PROGRA~3\Babylon deleted successfully
C:\PROGRA~3\Evernote deleted successfully
C:\Users\patrick\AppData\Local\GHISLER deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Internet Explorer\SearchScopes{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} deleted successfully

==== Deleting CLSID Registry Values ======================

==== Deleting Services ======================

==== Registry Fix Code ======================

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“bProtector Start Page”=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
“bProtectorDefaultScope”=-

==== Batch Command(s) Run By Tool======================

==== Deleting Files \ Folders ======================

C:\PROGRA~2\DC-Unlocker not found
C:\PROGRA~2\LMSOFT not found
C:\PROGRA~2\MakeMKV deleted
C:\Users\patrick\AppData\Local\41 deleted
C:\Users\patrick\AppData\Local\ElevatedDiagnostics deleted
C:\Users\patrick\AppData\Local\EmieBrowserModeList deleted
C:\Users\patrick\AppData\Local\Skype deleted
C:\PROGRA~2\TornTV.com deleted
C:\Users\patrick.android deleted
C:\PROGRA~2\Vittalia deleted
C:\PROGRA~2\BrowseFox deleted
C:\PROGRA~2\Registry Dr deleted
C:\PROGRA~2\COMMON~1\DVDVideoSoft\bin deleted
C:\PROGRA~2\FreeRIP deleted
C:\Program Files\PCDApp deleted
C:\Users\patrick\AppData\Roaming\Rim.Desktop.Exception.log deleted
C:\Users\patrick\AppData\Roaming\Rim.Desktop.HttpServerSetup.log deleted
C:\Users\patrick\AppData\Roaming\Rim.DesktopHelper.Exception.log deleted
C:\Users\patrick\AppData\Roaming\Babylon deleted
C:\PROGRA~3\APN deleted
C:\PROGRA~3\BitGuard deleted
C:\PROGRA~3\DSearchLink deleted
C:\Users\patrick\AppData\Local\RegistryDR deleted
C:\Users\patrick\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard deleted
C:\Windows\wininit.ini deleted
C:\windows\SysNative\tasks\PrivacyDR_Popup deleted
C:\windows\SysNative\tasks\PrivacyDR_Start deleted
C:\windows\SysNative\tasks\RegistryDr_Popup deleted
C:\windows\SysNative\tasks\RegistryDr_Start deleted
C:\Windows\SysNative\config\systemprofile\Searches deleted
C:\Windows\SysWow64\AI_RecycleBin deleted
C:\Windows\SysWow64\searchplugins deleted
C:\Windows\SysWow64\Extensions deleted
C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\kznd975t.default\Invalidprefs.js deleted
“C:\Users\patrick\AppData\Local{32A848C3-CF21-4D2A-B35B-DBDBA2E3FD0B}” deleted
“C:\Users\patrick\AppData\Roaming\OpenCandy” deleted

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\kznd975t.default
user_pref(“browser.startup.homepage”, “https://www.google.co.za/”);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
“wrc@avast.com”=“C:\Program Files\AVAST Software\Avast\WebRep\FF” [2015/04/27 05:40 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\kznd975t.default

• Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF

ExtDir: C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\extensions

• Torntv 3 - %ExtDir%\trtv3@trtv.com.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox

• Default - %AppDir%\browser\extensions{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\kznd975t.default
43583AB4DFD406F4C188342F41B1F91C - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_17_0_0_134.dll - Shockwave Flash

==== Deleted Firefox Extensions ======================

C:\Users\patrick\AppData\Roaming\Mozilla\Firefox\Profiles\extensions\trtv3@trtv.com.xpi deleted

==== Chromium Look ======================

Google Chrome Version: 42.0.2311.135

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bicnnkjibmphdeigoodpjlcklcnaobdj - C:\Program Files (x86)\TornTV.com\torntv10.crx
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[2015/04/07 07:41 PM]

Avast Online Security - patrick\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“https://www.google.co.za/”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“res://ieframe.dll/tabswelcome.htm”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“res://ieframe.dll/tabswelcome.htm”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
“DefaultScope”=“{0633EE93-D776-472f-A0FF-E1416B8B2E3A}”

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Start Page”=“https://www.google.co.za/”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“about:newtab”
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
“Tabs”=“about:newtab”
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
“DefaultScope”=“{012E1000-F331-11DB-8314-0800200C9A66}”

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{012E1000-F331-11DB-8314-0800200C9A66} Google Url=“http://www.google.com/search?q={searchTerms}”
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url=“http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC”

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{B9507101-E464-4B3B-A4CB-291AAEDD94F2} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{B9507101-E464-4B3B-A4CB-291AAEDD94F2} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{d2ce3e00-f94a-4740-988e-03dc2f38c34f} deleted successfully
HKEY_USERS\S-1-5-21-1789757520-3763477244-4059058576-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{d2ce3e00-f94a-4740-988e-03dc2f38c34f} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID{B9507101-E464-4B3B-A4CB-291AAEDD94F2} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID{d2ce3e00-f94a-4740-988e-03dc2f38c34f} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{d2ce3e00-f94a-4740-988e-03dc2f38c34f} deleted successfully

==== Deleting CLSID Registry Values ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar{8dcb7100-df86-4384-8842-8fa844297b3f} deleted successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\bicnnkjibmphdeigoodpjlcklcnaobdj deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{99C91FC5-DB5B-4AA0-BB70-5D89C5A4DF96} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{EE171732-BEB4-4576-887D-CB62727F01CA} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall{15D2D75C-9CB2-4efd-BAD7-B9B4CB4BC693} deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Torntv Downloader deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRYK3XMX will be deleted at reboot
C:\Users\patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CLGHY8CW will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\patrick\AppData\Local\Mozilla\Firefox\Profiles\kznd975t.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\patrick\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache is not empty, a reboot is needed

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=508 folders=84 86022385 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\patrick\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp will be emptied at reboot
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
c:\Temp successfully emptied

==== Empty Recycle Bin ======================

C:$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

“C:\Users\patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BRYK3XMX” not found
“C:\Users\patrick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CLGHY8CW” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\acjs.aliyun.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\cdn3b.static.hardsextube.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\f.vimeocdn.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\filetype.flash-container.info” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\i.alipayobjects.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\img5.uloz.to” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\pagead2.googlesyndication.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\slotsheaven.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\specials.checkers.co.za” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\va1en.sftcdn.net” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\www.ajaxcdn.org” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\www.bogabids.com” not found
“C:\Users\patrick\AppData\Roaming\Macromedia\Flash Player#SharedObjects\LJRCCULY\www.superfish.com” not found

==== EOF on 2015/05/11 at 13:07:35.29 ======================

Hello,

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Hi

Thanks for the reply, I ran the program, still getting the popups.

Please see attached and thanks for your assistance.

Regards

Uninstall:

• BrowseFox 3.0.0
• Vittalia Installer

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

HI,

Thanks for the quick reply, i ran the fix, but am still getting the same pop-up.

Attached is the fixlog.

Thanks

Can you make a picture of this pop-up?

Also please run Farbar again and attach the new logs.

Hi,

Attached is a picture of the pop up and the files from the rerun of frst.

Thanks for your assistance.

Regards

Please uninstall Vittalia Installer

https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif

https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

Hi Guys,

Sorry been away, fixes did not help reloaded OS.

Thanks for all your assistance.

Regards