Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected with IDP.Program.D1B0A5C0

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 27th, 2014, 8:02 pm

Sorry I forgot to post the search log.
In the first account I still can't run any programs and I get the same message.

Farbar Recovery Scan Tool (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-25 21:00:20
Running from C:\Users\Yael\Desktop
Boot Mode: Normal

================== Search Registry: "ALOT;AnyProtect;Babylon;BetterBrain;BlockAndSurf;ConvertAd;DealCabby;EasyDriver;RemoteDesktopAccess;RocketTab;Savepass;SearchProtect;snipsmart;StormWatch;Vosteran;WSE_Vosteran;Zoomify" ===========


===================== Search result for "Babylon" ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\"=""


===================== Search result for "Savepass" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F01C9629-786E-4839-8FF7-847F84891C37}]
"AppPath"="C:\Program Files (x86)\Savepass 3.0"


===================== Search result for "Vosteran" ==========

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

[HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
"Progid"="VosteranHTML.XAQEHVRZTKJGE27YQRA7GQFX4I"

====== End Of Search ======
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm
Advertisement
Register to Remove

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 27th, 2014, 8:03 pm

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-27 18:52:28 Run:7
Running from C:\Users\Yael\Desktop
Loaded Profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\...\MountPoints2: {4eef8173-e036-11e1-8a92-c89cdcb53833} - F:\LaunchU3.exe -a
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = http://start.funmoods.com/results.php?f=4&q= {searchTerms}&a=adknlg&chnl=adknlg&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0CtCzzyEtN1L2XzutBtFtCtFtDtFtAtDtC&cr=996414931
SearchScopes: HKU\S-1-5-21-4229975068-1931466670-3666739151-1002 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
CHR StartupUrls: Default -> "hxxp://Vosteran.com/?f=7&a=vst_cmi_14_47_ch&cd=2XzuyEtN2Y1L1Qzu0Czzzy0C0D0C0ByDtAzztAtAyDtAyB0EtN0D0Tzu0StCtDyDyBtN1L2XzutAtFyCtFyCtFtDtN1L1CzutCyEtBzytDyD1V1OtN1L1G1B1V1N2Y1L1Qzu2StAzz0B0A0DtB0E0AtG0ByByByDtGyE0FyByBtG0FtB0C0FtGtAyDyDyEtBtB0DtDtD0EtAzz2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0F0Azy0FyB0EyD0FtGyCzztAtAtGyEtDyDyEtGzztB0FtDtG0AyC0B0AtDzy0EtCyB0E0DyE2Q&cr=960361997&ir="
Hosts:
EmptyTemp:
*****************

"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key deleted successfully.
"HKCR\CLSID\{4eef8173-e036-11e1-8a92-c89cdcb53833}" => Key not found.
HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key deleted successfully.
"HKCR\CLSID\{67A2568C-7A0A-4EED-AECC-B5405DE63B64}" => Key not found.
"HKU\S-1-5-21-4229975068-1931466670-3666739151-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key deleted successfully.
"HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => Key not found.
Chrome StartupUrls deleted successfully.
C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 16.5 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 28th, 2014, 2:35 am

OK, let's get rid of the last few things found by the Search scan, then we'll see if we can do anything about the problems with the 1st account.

So ...

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad (don't include Code: Select all).
Code: Select all
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F01C9629-786E-4839-8FF7-847F84891C37}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Next ....

  • Download a copy of FRST64 onto a USB drive, and plug it into your computer.
  • Leave it in place on the USB drive (do not transfer it to the computer's Desktop).
  • Now, when logged into the FRST account (the one with the problems), try running a scan with FRST from the USB drive, using the instructions below ...
    • Double click Frst.exe to launch it.
    • FRST will start to run.
      • When the tool opens click Yes to disclaimer.
      • Check to ensure the Addition.txt button in the bottom right of the interface is checked.
      • Press the Scan button.
      • When finished scanning 2 logs will open on your Desktop, FRST.txt and Addition.txt
      • Please post them in your next reply.

If you're unable to run FRST in this way on the problem account, please let me know.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 28th, 2014, 3:04 pm

Even when trying to run FRST64 from the usb it still does not work

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 17-12-2014
Ran by Daddy at 2014-12-28 13:57:02 Run:8
Running from C:\Users\Yael\Desktop
Loaded Profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara (Available profiles: Daddy & Yael & Mommy & Shalom & Atara & Michal & Sara)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f
Reg: Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F01C9629-786E-4839-8FF7-847F84891C37}" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v "Progid" /f
Reg: Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f

*****************


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\Shared" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\CR" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders" /v "C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE\" /f =========

Delete the registry value C:\Users\Daddy\AppData\Roaming\BabylonToolbar\IE" /f (Yes/No)? ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F01C9629-786E-4839-8FF7-847F84891C37}" /f =========

The operation completed successfully.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice" /v "Progid" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice" /v "Progid" /f =========

ERROR: Access is denied.



========= End of Reg: =========


========= Reg.exe delete "HKEY_USERS\S-1-5-21-4229975068-1931466670-3666739151-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice" /v "Progid" /f =========

ERROR: Access is denied.



========= End of Reg: =========


==== End of Fixlog ====
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 29th, 2014, 2:13 am

OK, we're now going to see if we can get the 1st account to work properly again. It may take us a while to find out exactly what needs to be done.

We'll start with the simplest solution, and "escalate" things as and if we have to.

Before we do anything though, I'd like you to create a System Restore Point that we can restore to if we have to.

So ...

  • Log into the problem account.
  • click start and in the search programs and files box type create
  • from the list of items found by Windows, click on create a restore point
  • A system properties box will open.
    • Click on the Create button and then type an appropriate name into the create a restore point Window when it opens (something like "Pre-permissions change" will do).
    • click Create, and wait for Windows to create a restore point.
    • When finished, click Close, then exit out of the System Properties window.

Next ...

Once the SR Point has been created, and whilst still logged into the problem account ...

  • Click Start > Documents to open your Documents folder.
  • Right click in an empty area of the folder, and select Properties.
  • Click on the Restore Defaults button.

Are you now able to run any Programs ?

If not ...

Navigate to C:/Program Files and open the folder ....

  • Right-click in a blank area of the folder, and select Properties
  • Click on the Security tab.
  • In the Group or Usernames panel, scroll down to the account name that you're in, and click on it to select it.
  • Now check that the following items have a tick against them ...
    • Read and execute
    • List folder contents
    • Read
  • If any of them do not have a tick, please let me know.

Repeat the above sequence for the folder C:/Program Files (x86)
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 29th, 2014, 8:15 pm

I created the restore point in a diffrent account becouse I was not able to create it in the first account. After I created it when I tried to log into the first account I could not and this mesage popped up "The user profile service failed the logon. user profile can not be loaded."
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 30th, 2014, 2:19 am

It would appear that the first account has sustained some kind of damage and/or corruption, and it may not be possible for us to repair it. Quite what has caused this I can't say. Certainly nothing that we've done so far should have caused this to happen.

However, as I said at the beginning, yours was a very badly infected machine, and the sheer volume of items that we've had to remove may have had an effect on your computer's stability. Equally, it may have nothing to do with it. You've been able to log into that account up to now, so why it should suddenly not be possible now, is a mystery to me.

Please try the following for me ....

  • Log onto your computer using the Mommy account.
  • Click start and in the Search programs and files box type cmd
  • From the list of items found, right-click on cmd.exe and select Run as administrator
  • A command window should now open ...
    • At the command prompt, type chkdsk /r then hit enter. (note the space between k and /)
    • You will get a prompt saying ... Chkdsk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts (Y/N)
    • Type Y then hit enter.

Exit out of the command window, and re-start your computer. When your computer boots, Windows will check your hard drive for errors, and will attempt to repair any damaged sectors that it finds. This can take quite a while, so please be patient, and do not interrupt the checking process.

When it finishes, please see if you can now log into the damaged account.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 31st, 2014, 9:57 am

To clarify the account that I could not log into was the Mommy account. Because I could not log into it I tried following your instructions using the Daddy account. Even after it finished I was not able to log onto the damaged account.
Thank you very much
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 31st, 2014, 10:28 am

OK, log into the Daddy account, and do the following please ....

  • Click start and in the Find files and folders box type cmd
  • In the list of items found, right click on cmd.exe and select Run as an Administrator
  • When the Command window opens type sfc /scannow at the prompt (note the space between c and /), then hit enter

Windows will now check your system files, and will attempt to repair any that it finds.

When the system file checker has finished running, check to see if you can log into the mommy account.

Let me know if you still have problems.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » December 31st, 2014, 8:34 pm

Even after this next step I still can not log into the account
Thank you very much
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » December 31st, 2014, 9:13 pm

OK, there's one last thing we can try, but if we do, then I want you to consider this ....

  1. Running the possible "fix" will replace most of what we've spent our time removing over the last few days.
  2. If your problems are being caused by hardware/OS problems rather than by our infection removal efforts (and it's quite possible that they might be), then this will not resolve things either.

So, your options seem to be ....

  1. If the other accounts are all working without problem, then you can accept things as they are, and create a new Mommy account. In which case you will have lost any personal data in the original Mommy account. We may be able to access the personal data and transfer it to the new Mommy account, but we could equally not be able to do so.
  2. Attempt a "fix" in which case it may or may not resolve the access issue to the Mommy account, if it does it we'll have to go through all the accounts and clean them again. If it doesn't, you still won't be able to access the Mommy account and we'll still have to clean the other accounts again.
Please understand, I'm not trying to pressurise you into making any decision that you may not want to, I'm just explaining what the situation is.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » January 1st, 2015, 5:12 pm

If we try the first option and are not able to access the personal data and transfer it would we be able to attempt a fix?
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » January 2nd, 2015, 2:21 am

Yes of course.

OK, let's see if we can access your personal files and folders first. To do this we need to use a Linux distro. It's a fairly straight forward process, but it's fairly involved, so I wrote a complete tutorial for it some time back, you'll find it .... HERE

Please follow the procedure as described in that article, and when finished, let me know if you were able to recover a copy of your personal files and folders.

If you're able to, then we can take things further, if not, we'll try for a fix.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Infected with IDP.Program.D1B0A5C0

Unread postby shalom123 » January 4th, 2015, 12:08 am

OK I will try this however I am away from my computer right now so I will have to do it in a couple of days from now.
Thank you very much
shalom123
Regular Member
 
Posts: 43
Joined: December 18th, 2014, 9:26 pm

Re: Infected with IDP.Program.D1B0A5C0

Unread postby Gary R » January 4th, 2015, 2:18 am

Talk to you then, then. :thumbleft:
User avatar
Gary R
Administrator
Administrator
 
Posts: 21871
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware