Popups and IE opening

[ken545]

Thats fine, sometimes malware gets so exasperating people try things on there own but its always best to just come to the forum and post logs before doing anything on your own

You have so many things in your downloads folder , what I would do is go into the downloads folder and delete it all but not the downloads folder itself

Start
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-158169146-1400861035-4088244124-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2015-03-25 20:59 - 2015-03-25 20:59 - 00747288 _____ (Program ) C:\Users\maraj_000\Downloads\CR_Downloader_for_ppsspp.exe
2015-03-25 21:00 - 2015-03-25 21:00 - 00747288 _____ (Program ) C:\Users\maraj_000\Downloads\CR_Downloader_for_pcsx2.exe
Task: {3F8E02B2-1C82-44D8-AB79-4C826C7AC357} - System32\Tasks\IEError => C:\Program Files (x86)\FixMyPcutil\Popialert.exe [2015-03-18] (Popialert)
Task: {56F13F24-FC89-49BD-963E-1EA773A3C9E9} - System32\Tasks\AI_Updater => C:\Program Files (x86)\FixMyPcutil\updater.exe [2015-03-19]
(FixMyPcutil)
C:\Program Files (x86)\FixMyPcutil
Task: {73841BBC-AA42-4F7E-864F-31093381C2FF} - System32\Tasks\UPDTEXE4_WDR => C:\Program Files (x86)\Portable WeatherApp\updater.exe
C:\Program Files (x86)\Portable WeatherApp
Task: {AF408DA9-4E03-4C1F-9BB2-8D6F1A726D72} - System32\Tasks\HDNINSTSCHD => C:\windows\PCBHDNW\hdnInstaller.exe
C:\windows\PCBHDNW
Task: {D978726E-BE0E-47ED-B790-6BBCC7E746B4} - System32\Tasks\boosterpop => C:\Program Files (x86)\FixMyPcutil\Probsalert.exe [2015-03-19]
(Probsalert)
Task: {FBD2F3E1-C876-4E5D-8AA6-5EAA00785EED} - System32\Tasks\IE_ERR4WDR => C:\Program Files (x86)\Portable WeatherApp\IEError.exe
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
End

Open up windows notepad and copy and paste all the quoted text into notepad starting with START and ending with END, name the file FIXLIST, save it to your desktop where you now have FRST64, use your mouse and drag FIXLIST right next to FRST64, either above or below it or on either side but not on top of it, then open up FRST64 and click on FIX (Not Scan) it wont take long, after your computer reboots you will find a FIXLOG on your desktop, post it please and also let me know how your system is behaving now

[mgsvz]

The first time I tried to run it the program stopped responding and windows shut it down. I ran it a second time and everything went fine. We've had the computer on the whole day and everything seems to be good--no popup, no IE opening. Thank you so much. Here's the fixlog:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by maraj_000 at 2015-03-31 10:35:57 Run:2
Running from C:\Users\maraj_000\Desktop
Loaded Profiles: maraj_000 & (Available profiles: UpdatusUser & maraj_000)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
CloseProcesses:
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-158169146-1400861035-4088244124-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
2015-03-25 20:59 - 2015-03-25 20:59 - 00747288 _____ (Program ) C:\Users\maraj_000\Downloads\CR_Downloader_for_ppsspp.exe
2015-03-25 21:00 - 2015-03-25 21:00 - 00747288 _____ (Program ) C:\Users\maraj_000\Downloads\CR_Downloader_for_pcsx2.exe
Task: {3F8E02B2-1C82-44D8-AB79-4C826C7AC357} - System32\Tasks\IEError => C:\Program Files (x86)\FixMyPcutil\Popialert.exe [2015-03-18] (Popialert)
Task: {56F13F24-FC89-49BD-963E-1EA773A3C9E9} - System32\Tasks\AI_Updater => C:\Program Files (x86)\FixMyPcutil\updater.exe [2015-03-19]
(FixMyPcutil)
C:\Program Files (x86)\FixMyPcutil
Task: {73841BBC-AA42-4F7E-864F-31093381C2FF} - System32\Tasks\UPDTEXE4_WDR => C:\Program Files (x86)\Portable WeatherApp\updater.exe
C:\Program Files (x86)\Portable WeatherApp
Task: {AF408DA9-4E03-4C1F-9BB2-8D6F1A726D72} - System32\Tasks\HDNINSTSCHD => C:\windows\PCBHDNW\hdnInstaller.exe
C:\windows\PCBHDNW
Task: {D978726E-BE0E-47ED-B790-6BBCC7E746B4} - System32\Tasks\boosterpop => C:\Program Files (x86)\FixMyPcutil\Probsalert.exe [2015-03-19]
(Probsalert)
Task: {FBD2F3E1-C876-4E5D-8AA6-5EAA00785EED} - System32\Tasks\IE_ERR4WDR => C:\Program Files (x86)\Portable WeatherApp\IEError.exe
CMD: ipconfig /flushdns
Hosts:
EmptyTemp:
End

[ken545]

Thats great, but you posted the FIXLIST file, I need to see the FIXLOG

[mgsvz]

That is the fixlog I posted, or at least the file named fixlog that came up on the desktop. The beginning of the text refers to "Fix result of Farbar Recovery Tool". Maybe the fact that it didn't work the first time changed what you were expecting?

[ken545]

Oh well, glad things are running better for you

Double click on AdwCleaner.exe to run the tool again.

• Click on the Uninstall button.
• Click Yes when asked are you sure you want to uninstall.
• Both AdwCleaner.exe, its folder and all logs will be removed.

==========================================================


Please download DelFix and save the file to your Desktop.

• Windows XP Double Click DelFix.exe to run the program.
• Windows Vista > Win 7 > Win 8 Right Click on DelFix.exe and select RUN AS ADMINISTRATOR
• Checkmark " Remove Disinfection Tools"
• Click the Run button

This will remove the specialised tools we used to clean your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually



==========================================================

• How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Safe Surfn
Ken

[mgsvz]

Thanks again Ken. I really appreciate it.

[ken545]

Your more than welcome

Take Care my friend

Ken