Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijacker.Medfos.B

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijacker.Medfos.B

Unread postby MtMercy+ » November 4th, 2013, 5:19 pm

My computer has had a problem for several months. Actually 2 problems. (1) If I do a search (doesn't matter if Google, Yahoo, etc.), and hit enter, different choices show up at left. I scroll down until I see one with the proper .com at the end, click on it, and almost always a website comes up that is different. I cancel it out, and go back to the original one I had selected, click on it, and it does then come up. (2) A lot of times when I am typing text, and if I pause for a bit, when I resume typing my curser has moved back up into what I have already typed. If I don't do a visual check, I end up typing new material where it shouldn't be. I don't know if these 2 problems are related or not.
My computer is a 1 1/2 years old. I have run McAfee Internet Security on it since new. I don't do anything with updates manually. I assume they are done automatically. My phone/internet provider provided me with free internet security also. Once a month they send me an e-mail informing me of the status. For 3-4 months they have shown an alert stating my computer has a "moderate risk" due to "Win32.Hijacker.Medfos.B-Runtime Detection". They recommended I run their "Super Spy-Ware" software to remove it. It didn't remove it. I have done total scans with McAfee Stinger, Malwarebytes, and several Windows tools.
Other than those 2 problems, my computer works fine. I'm just not computer savy enough to know if I'm at risk on this computer doing financial transactions. I've been using a different computer for those. I'm just really tired of these nuisances, and would like some help. Thanks, Jim
I can't get the DDS.txt and Attach Text to copy and paste. They are both on my desktop, I click on them and they copy, but the pasting part isn't working! Help
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm
Advertisement
Register to Remove

Re: Hijacker.Medfos.B

Unread postby Gary R » November 5th, 2013, 2:30 am

Can you attach the necessary files ?

Open the text editor here by clicking the Full Editor button, then scan down to below the main text input field, click on the Upload Attachment button, hit the Browse button and browse to the DDS.txt file, double click on it to select it then click on Add the file to attach it. Repeat for Attach.txt

When both have been attached, click on the Submit button.

If you can't do that, can you copy files to a USB drive, in which case copy the two files to a USB drive, then plug the drive into your uninfected machine and use that to post them here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 5th, 2013, 10:35 am

Please find 2 files attached.
You do not have the required permissions to view the files attached to this post.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby Gary R » November 5th, 2013, 11:26 am

OK, there's a couple of things showing in your DDS logs that need attending to ....

First ...

Please download AdwCleaner and save it to your desktop.

  • Double click AdwCleaner.exe to run it.
  • Click Delete.
  • Click OK to the prompt.
  • The tool will run & your computer will be rebooted automatically. A logfile will open after the restart.
  • Post the contents of the logfile with your next reply.
  • You can also find the logfile at C:\AdwCleaner[s1].txt.

Next ...

Download OTL by OldTimer to your Desktop.

If you already have a copy of OTL delete it and use this version.

  • Double click OTL.exe to launch the programme.
  • Check the following.
    • Scan all users.
    • Standard Output.
    • Lop check.
    • Purity check.
  • Under Extra Registry section, select Use SafeList
  • Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).
  • When finished it will produce two logs.
    • OTL.txt (open on your desktop).
    • Extras.txt (minimised in your taskbar)
  • Please post me both logs.

Summary of the logs I need from you in your next post:
  • ADWCleaner(s1).txt
  • OTL.txt
  • Extras.txt


Please post each log separately to prevent it being cut off by the forum post size limiter. If you can't post them, then attach them like before.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 5th, 2013, 3:11 pm

When I go to download the 2 tools (Adw cleaner and OTL), McAfee is telling me in a bold red warning not to go there. It says both of those sites are known to contain viruses, spyware, and other things that can damage my computer.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby Gary R » November 5th, 2013, 6:11 pm

Ignore McAfee, neither of those tools contains any infection, though because of their functionality they can sometimes get flagged by heuristics as being dangerous/hazardous.

No tool I ask you to download will contain anything that is malicious.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 5th, 2013, 11:09 pm

Here are two of the downloads. Im having trouble with the Adw cleaner text. Something about not allowing .exe? I'll try the Adw cleaner download again, and if it works, I'll submit the attachment. Jim
You do not have the required permissions to view the files attached to this post.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 5th, 2013, 11:22 pm

Hopefully, this is the Adw cleaner download. Seems to have failed again. Says "the extension exe is not allowed". Now what? Jim
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 5th, 2013, 11:36 pm

Hopefully this works!
You do not have the required permissions to view the files attached to this post.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby Gary R » November 6th, 2013, 2:35 am

Not too much showing in your latest logs ...

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box.
(do not include the line Code: Select All)
Code: Select all
:OTL
IE - HKU\S-1-5-21-3943551816-2030989817-4046163665-1000\..\SearchScopes\{D4274864-471C-4BC5-A1C6-F18A41FEFA33}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=PSI&o=15116&src=kw&q={searchTerms}&locale=&apn_ptnrs=L6&apn_dtid=YYYYYYYYUS&apn_uid=39b13662-beb5-4481-a528-53554980ad1e&apn_sauid=7782B19A-8F58-499D-ADE0-DBDEA33487E1
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
[2013/05/12 22:26:01 | 000,045,967 | ---- | C] () -- C:\Users\Jim\AppData\Local\dnpxlclg

:Commands
[emptytemp]
[resethosts]

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Next ....

Please run a scan with ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.
  • Please go HERE then click on Run ESET Online Scanner
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.

  • Select the option YES, I accept the Terms of Use then click on: Image
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Now click on: Image
  • The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed click on Start to start the scan.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed you will be presented with a list of found threats ....
    • Click on the List of found threats link
    • Click on Export to text file
    • Save as ESET.txt to your Desktop
  • Exit out of ESET Online Scanner.
  • Post me the contents of ESET.txt please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 6th, 2013, 4:12 pm

Here are the results from OTL and ESET. The OTL log was actually 13 numbers in a notepad. Your website won't let me attach it, and then upload. Says "The extension log is not allowed." I then tried renaming it as "OTL.txt", but it wouldn't allow it to be uploaded as well. I don't know how to get that scan log to you.
You do not have the required permissions to view the files attached to this post.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 6th, 2013, 4:17 pm

========== OTL ==========
Registry key HKEY_USERS\S-1-5-21-3943551816-2030989817-4046163665-1000\Software\Microsoft\Internet Explorer\SearchScopes\{D4274864-471C-4BC5-A1C6-F18A41FEFA33}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D4274864-471C-4BC5-A1C6-F18A41FEFA33}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
C:\Users\Jim\AppData\Local\dnpxlclg moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 56466 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Guest
->Temp folder emptied: 53611 bytes
->Temporary Internet Files folder emptied: 556255 bytes
->FireFox cache emptied: 8502766 bytes
->Flash cache emptied: 56466 bytes

User: Jim
->Temp folder emptied: 618165427 bytes
->Temporary Internet Files folder emptied: 232402003 bytes
->FireFox cache emptied: 101823247 bytes
->Google Chrome cache emptied: 103861801 bytes
->Flash cache emptied: 205403 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 736632136 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 42287446 bytes
RecycleBin emptied: 103293742 bytes

Total Files Cleaned = 1,858.00 mb

C:\Windows\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 11062013_101930

Files\Folders moved on Reboot...
C:\Users\Jim\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
C:\Users\Jim\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 6th, 2013, 5:29 pm

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Users\Jim\Downloads\ArcadeCandyGames(1).exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\Jim\Downloads\ArcadeCandyGames(2).exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\Jim\Downloads\ArcadeCandyGames(3).exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\Jim\Downloads\ArcadeCandyGames(4).exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\Jim\Downloads\ArcadeCandyGames(5).exe a variant of Win32/Adware.Gamevance.DD application
C:\Users\Jim\Downloads\ARO2013_tbt.exe a variant of Win32/Bundled.Toolbar.Ask.D application
C:\Users\Jim\Downloads\iTunes_Setup.exe Win32/Spy.Zbot.ZR trojan
C:\Users\Jim\Downloads\ZipExtractorSetup.exe a variant of Win32/InstallCore.CW application


I managed to cut/paste both the logs you wanted. Sorry about my lack of expertise on a computer. Jim
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm

Re: Hijacker.Medfos.B

Unread postby Gary R » November 6th, 2013, 6:07 pm

  • Double click OTL.exe to launch the programme.
  • Copy/Paste the contents of the code box below into the Custom Scans/Fixes box. (do not include the line Code: Select All)
Code: Select all
:Files
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe
C:\Users\Jim\Downloads\ArcadeCandyGames(1).exe
C:\Users\Jim\Downloads\ArcadeCandyGames(2).exe
C:\Users\Jim\Downloads\ArcadeCandyGames(3).exe
C:\Users\Jim\Downloads\ArcadeCandyGames(4).exe
C:\Users\Jim\Downloads\ArcadeCandyGames(5).exe
C:\Users\Jim\Downloads\ARO2013_tbt.exe
C:\Users\Jim\Downloads\iTunes_Setup.exe
C:\Users\Jim\Downloads\ZipExtractorSetup.exe
ipconfig /flushdns /c

  • Click the Run Fix button.
  • OTL will now process the instructions.
  • When finished a box will open asking you to open the fix log, click OK.
  • The fix log will open.
  • Copy/Paste the log in your next reply please.

Note: If necessary, OTL may re-boot your computer, or request that you do so, if it does, re-boot your computer. A log will be produced upon re-boot.

Let me know how your computer is behaving now please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Hijacker.Medfos.B

Unread postby MtMercy+ » November 6th, 2013, 7:03 pm

C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe moved successfully.
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe moved successfully.
C:\Users\Jim\Downloads\ArcadeCandyGames(1).exe moved successfully.
C:\Users\Jim\Downloads\ArcadeCandyGames(2).exe moved successfully.
C:\Users\Jim\Downloads\ArcadeCandyGames(3).exe moved successfully.
C:\Users\Jim\Downloads\ArcadeCandyGames(4).exe moved successfully.
C:\Users\Jim\Downloads\ArcadeCandyGames(5).exe moved successfully.
C:\Users\Jim\Downloads\ARO2013_tbt.exe moved successfully.
C:\Users\Jim\Downloads\iTunes_Setup.exe moved successfully.
C:\Users\Jim\Downloads\ZipExtractorSetup.exe moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Jim\Downloads\cmd.bat deleted successfully.
C:\Users\Jim\Downloads\cmd.txt deleted successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 11062013_165922 I will try it out and let you know.
MtMercy+
Active Member
 
Posts: 12
Joined: November 4th, 2013, 4:29 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 294 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware