Can't remove win32.2urface.bho

[Juliet]

Thanks, problem appears to be solved. Is there any followup information required to verify?

Yes, I think an online scan would be best to run now.
Might not find anything but we should.

What we can do now is run an online scan with Eset, for the time being it is our most trusted scanner.
Most reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.


Go here to run an online scannner from ESET. Windows Vista/Windows 7/Windows 8 users will need to right click on their Internet Explorer shortcut, and select Run as Administrator

• Note:
  For browsers other than Internet Explorer, you will be prompted to download and install esetsmartinstaller_enu.exe. Click on the link and save the file to a convenient location. Double click on it to install and a new window will open. Follow the prompts.
• Turn off the real time scanner of any existing antivirus program while performing the online scan. Here's how.
• Click the blue Run ESET Online Scanner button
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the program to install the "OnlineScanner.cab" activex control by clicking the Install button
• Once the activex control is installed, on the next screen click on Enable detection of potentially unwanted applications
• Click on Advanced Settings
• Make sure that the option Remove found threats is unticked.
• Ensure these options are ticked
  
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  
  
• Click Start
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log as a reply to this topic.
• Close the ESET online scan.

[BIOS_Pherecydes]

C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\Program Files (x86)\DeltaFix\DeltaFix.dll.vir a variant of Win32/Adware.MultiPlug.DX application
C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\ProgramData\Trusted Publisher\SW-Booster\SW-Booster.exe.vir Win32/TrojanDownloader.Agent.ACF trojan
C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\Users\UserPrime\AppData\Local\Google\Chrome\User Data\Default\Extensions\hjlbpeobfoehgedfokphelfpbhmdphco\1\tFeo.js.vir JS/Kryptik.ATB trojan
C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\Users\UserPrime\AppData\Roaming\Mozilla\Firefox\Profiles\swnccxfp.default-1396138438950\Extensions\kE@I3AZM.com\content\bg.js.vir JS/Kryptik.ATB trojan
C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\Users\UserPrime\AppData\Roaming\Mozilla\Firefox\Profiles\swnccxfp.default-1396138438950\Extensions\kxm0TR@p.com\content\bg.js.vir JS/Kryptik.ATB trojan
C:\$Recycle.Bin\S-1-5-21-614374451-640586071-3639636259-1002\$RK68PJ2\Quarantine\C\Users\UserPrime\AppData\Roaming\Mozilla\Firefox\Profiles\swnccxfp.default-1396138438950\Extensions\tfQ@S.com\content\bg.js.vir JS/Kryptik.ATB trojan
C:\ProgramData\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js JS/Kryptik.ATB trojan
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js JS/Kryptik.ATB trojan
C:\Users\All Users\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll Win32/InstalleRex.M potentially unwanted application
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js JS/Kryptik.ATB trojan
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js JS/Kryptik.ATB trojan
C:\Users\UserPrime\Desktop\FlashVault\MyApps\Download\setup.exe a variant of Win32/AirAdInstaller.A potentially unwanted application
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Design\New\156554.png HTML/Iframe.B.Gen virus
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Funny\2b67321367a594f08b38dbfbb2225b66.jpg HTML/Iframe.B.Gen virus
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\Photo Editors\cbsi-3_2_5_39-10703122.exe a variant of Win32/CNETInstaller.B potentially unwanted application
C:\Users\UserPrime\Downloads\setup-adblock-master.exe Win32/Somoto.E potentially unwanted application
C:\Users\UserPrime\Downloads\SmartHideIPSetup.exe a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application
C:\Users\UserPrime\Downloads\SoftonicDownloader_for_winmail-reader.exe a variant of Win32/SoftonicDownloader.G potentially unwanted application
C:\Users\UserPrime\Downloads\New folder (2)\rcsetup151.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

[Juliet]

C:\$Recycle.Bin <-- remove/empty what you have in your Recycle bin.


Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CloseProcesses:
C:\ProgramData\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll
C:\ProgramData\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll
C:\ProgramData\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js
C:\Users\All Users\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll
C:\Users\All Users\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll
C:\Users\All Users\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js
C:\Users\UserPrime\Desktop\FlashVault\MyApps\Download\setup.exe
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Design\New\156554.png
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Funny\2b67321367a594f08b38dbfbb2225b66.jpg
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\Photo Editors\cbsi-3_2_5_39-10703122.exe
C:\Users\UserPrime\Downloads\setup-adblock-master.exe
C:\Users\UserPrime\Downloads\SmartHideIPSetup.exe
C:\Users\UserPrime\Downloads\SoftonicDownloader_for_winmail-reader.exe
C:\Users\UserPrime\Downloads\New folder (2)\rcsetup151.exe
EmptyTemp:
End

Open FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.


How's your computer?

[BIOS_Pherecydes]

Ran by UserPrime at 2015-01-27 14:04:17 Run:2
Running from C:\Users\UserPrime\Desktop
Loaded Profiles: UserPrime (Available profiles: UserPrime)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\ProgramData\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll
C:\ProgramData\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll
C:\ProgramData\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js
C:\Users\All Users\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll
C:\Users\All Users\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll
C:\Users\All Users\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js
C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js
C:\Users\UserPrime\Desktop\FlashVault\MyApps\Download\setup.exe
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Design\New\156554.png
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Funny\2b67321367a594f08b38dbfbb2225b66.jpg
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\Photo Editors\cbsi-3_2_5_39-10703122.exe
C:\Users\UserPrime\Downloads\setup-adblock-master.exe
C:\Users\UserPrime\Downloads\SmartHideIPSetup.exe
C:\Users\UserPrime\Downloads\SoftonicDownloader_for_winmail-reader.exe
C:\Users\UserPrime\Downloads\New folder (2)\rcsetup151.exe
EmptyTemp:
End
*****************

Processes closed successfully.
C:\ProgramData\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll => Moved successfully.
C:\ProgramData\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll => Moved successfully.
C:\ProgramData\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll => Moved successfully.
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js => Moved successfully.
C:\ProgramData\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js => Moved successfully.
"C:\Users\All Users\InstallMate\{221E6025-3050-44E2-A609-7872F9FD42D3}\Custom.dll" => File/Directory not found.
"C:\Users\All Users\InstallMate\{8C3F256D-75DD-4F92-AD79-3DFF57DC079B}\Custom.dll" => File/Directory not found.
"C:\Users\All Users\InstallMate\{C2A4C3AF-268F-4FFC-AD17-6EAD1947E159}\Custom.dll" => File/Directory not found.
"C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\gUz.js" => File/Directory not found.
"C:\Users\All Users\ocgopgojnbidinlnlaofbdgbbeggikkf\lsdb.js" => File/Directory not found.
C:\Users\UserPrime\Desktop\FlashVault\MyApps\Download\setup.exe => Moved successfully.
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Design\New\156554.png => Moved successfully.
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\1\Funny\2b67321367a594f08b38dbfbb2225b66.jpg jpg => Moved successfully.
C:\Users\UserPrime\Desktop\FlashVault\MyPictures\Photo Editors\cbsi-3_2_5_39-10703122.exe => Moved successfully.
C:\Users\UserPrime\Downloads\setup-adblock-master.exe => Moved successfully.
C:\Users\UserPrime\Downloads\SmartHideIPSetup.exe => Moved successfully.
C:\Users\UserPrime\Downloads\SoftonicDownloader_for_winmail-reader.exe => Moved successfully.
C:\Users\UserPrime\Downloads\New folder (2)\rcsetup151.exe => Moved successfully.
EmptyTemp: => Removed 436 MB temporary data.


The system needed a reboot.

==== End of Fixlog 14:04:29 ====


Reran Spybot, Emisoft and ESET. No problems found, ESET reported previous issues in quarantine. Is there anything else I need to do?

[Juliet]

If the computer feels back to normal I think we can finish up now?

[BIOS_Pherecydes]

It does. I've restarted Emisoft active protection and Spybot teatimer so hopefully that should prevent future issues. Thank your for your help.

[Juliet]

DelFix

• Please download DelFix
  or from here http://www.bleepingcomputer.com/download/delfix/ and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
  
  • Activate UAC
  • Remove disinfection tools
  • Create registry backup
    
  
  
  ~~~~
  
  • Answers to common security questions - Best Practices by quietman7, MVP
  • How Malware Spreads - How did I get infected? by quietman7, MVP
  • Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
  • How to Prevent Malware by miekiemoes, MVP
  • How to backup and restore your data using Cobian Backup by YourHighness
  • Slow Computer/browser? It May Not Be Malwareby quietman7, MVP
    
  
  The following programmes come highly recommended in the security community.
  
  • AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
  • CryptoPrevent places policy restrictions on loading points for ransomware (eg.CryptoPrevent), preventing your files from being encrypted.
  • Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
  • NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
  • Secuina PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
  • SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
  
  
• Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).