Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Impossible to clean onclkds.com infection - with FRST

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Impossible to clean onclkds.com infection - with FRST

Unread postby willmarpo » January 27th, 2017, 10:42 pm

Sorry, was unaware of FRST. Here it goes again:
Hi.
My son started playing online games in my laptop. I had VIPRE antivirus with web defense activated, so I thought I could not get an infection, well it happened.

Symptoms: When I open IE, and write an address of a site, it gets redirected to a searchtext.pro/dori page. Then, in IE, Firefox and Chrome, at first load, when I load a page, any click I do opens a new window with an address onclkds.com/?zoneid=

First, I downloaded Malwarebytes and ran it, it discovered PUP.Optional.Spigot, which I removed. But the problem was still there. Then I tried with other malware scanners: Zemana.AntiMalware, hitmanpro, adwcleaner, Adware Removal Tool by TSA, Bitdefender antimalware, SUPERAntiSpyware, JRT, Karspersky, msert, Spybot, grind, 360 Security. NOTHING. None of them discovers any malware. Well, Grind discovered a registry entry for RMPL.Shopper, and SUPERAntiSpyware encountered traces of Scorpion.

Manually cleaning: I checked and there are no suspicious installs, no addons, I did a reset of all three browsers, I even reinstalled from scratch Firefox, I checked services, running processes, startup apps, checked on regedit… NOTHING.
Any ideas?
Thanks
You do not have the required permissions to view the files attached to this post.
willmarpo
Active Member
 
Posts: 3
Joined: January 27th, 2017, 10:00 pm
Advertisement
Register to Remove

Re: Impossible to clean onclkds.com infection - with FRST

Unread postby capnkrunch » January 30th, 2017, 5:21 pm

Hello willmarpo :)

Apologies for the delay in getting to your topic. I am currently reviewing your logs and will reply shortly.
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Impossible to clean onclkds.com infection - with FRST

Unread postby capnkrunch » January 30th, 2017, 5:39 pm

Warning!
The steps presented in these posts are for this person and machine ONLY. Do not apply these steps to your own system, without the guidance of a trained malware removal helper. Doing so, may possibly damage your system, preventing it from starting.

Hello and welcome to the Malware Removal Forums :)

My name is capnkrunch and I will be helping you with your malware problems.

Before we begin, please read and follow these important guidelines, so things will proceed smoothly.
  • The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  • You must have Administrator rights, permissions for this computer.
  • DO NOT run any other fix or removal tools unless instructed to do so.
  • DO NOT install any other software (or hardware) during the cleaning process.
  • Only post your problem at (1) one help site. Applying fixes from multiple help sites can cause problems.
  • Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
  • Only reply to this thread, do not start another ... Please, continue responding, until I give you the "All Clean".
    Remember, absence of symptoms does mean the infection is all gone.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Failure to respond for 3 days, will result in your topic being closed.

Note: If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care, not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.


For your safety and protection, I would advise backing up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. The safest practice is not to backup any files with the following file extensions:
exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Impossible to clean onclkds.com infection - with FRST

Unread postby capnkrunch » January 30th, 2017, 5:50 pm

Step one...

Please answer these questions:
  • Is this computer used for business purposes, including home or small business?
  • Is this computer connected to an educational network, for example at a university?
I need to know in order to provide accurate instructions.

Step two...

CKScanner
Please download CKScanner and save it to your Desktop.
This program should only be run once!
Make sure that CKScanner.exe is on the your desktop before running the application!

  • Right click on the CKScanner.exe icon and select Run as administrator.
  • Click the Search For Files button.
  • When the scan is finished (the cursor hourglass disappears) click the Save List To File button.
    A text file will be created on your desktop named "ckfiles.txt"
  • Click OK at the file saved message box. Double-click on the ckfiles.txt icon on your desktop.
  • Please copy/paste the contents of ckfiles.txt in your next reply.

Step three...

MGA Diagnostic Tool
  • Please download MGA Diagnostic Tool and save it to your Desktop.
  • Right click on MGADiag.exe and select Run as adminsitrator.
  • Click on Continue to run the scan.
  • Once the scan is finished click Copy to copy the results. Paste them in your reply.

Please post each log separately to prevent it being cut off by the forum post size limiter.
Check each after you've posted it to make sure it's all present, if any log is cut off you'll have to post it in sections...

In your next reply please include:
  • Did you have any problems with the instructions?
  • Answers to my questions
  • ckfiles.txt
  • The MGADiag report
  • Are there any changes in computer behavior?
User avatar
capnkrunch
MRU Master
MRU Master
 
Posts: 793
Joined: March 20th, 2015, 6:41 pm
Location: Chicago

Re: Impossible to clean onclkds.com infection - with FRST

Unread postby willmarpo » January 30th, 2017, 8:21 pm

Hi. Thanks for your help.
1. No problems with the instructions.
2. This is my personal laptop, and I used for almost everything. I compose music with it, do video editing, write, and sometimes I used to connect to my work computer at work (when I work from home) using VPN. I do teach at the university, but I use the laptop to display slides, I never connect it to the campus network. I may also do some apps sometimes (not frequently) in a freelancer project. I'm also working developing an app that I want to commercialize in the future.
3. CKFiles
CKScanner 2.5 - Additional Security Risks - These are not necessarily bad
c:\program files\cakewalk\vstplugins\rxp\contents\loopmasters\rex loops\house techno trance\john flemming and digital blonde\00db_tamb_cracking-dry_133.rx2
c:\program files\cakewalk\vstplugins\rxp\contents\sample magic\breakbusters\breaks_synthloop_130_digicrackler_f.rx2
c:\program files\cakewalk\vstplugins\rxp\contents\sample magic\nu-rave\nr_syn130_crackline2_gb.rx2
c:\program files (x86)\git\bin\ssh-keygen.exe
c:\program files (x86)\inkscape\python\lib\site-packages\numpy\f2py\crackfortran.py
c:\program files (x86)\ssh communications security\ssh secure shell\ssh-keygen2.exe
c:\users\wmartinez\dropbox\ecci\maestria\seguridadaplicada\hack_x_crack_scapy.pdf
c:\users\wmartinez\dropbox\ecci\maestria\seguridadaplicada\tareabufferoverflow\882327-firecracker.txt
c:\users\wmartinez\dropbox\ecci\maestria\seguridadaplicada\tareabufferoverflow\firecracke-exploit.s
c:\users\wmartinez\dropbox\ecci\maestria\seguridadii\laboratorio_ataque_contrasenas\lc5crackpwd.xlsx
c:\users\wmartinez\dropbox\ecci\maestria\seguridadii\laboratorio_ataque_contrasenas\linuxcracks.xlsx
c:\users\wmartinez\favorites\movies & tv\crackle - películas gratis online.url
scanner sequence 3.FF.11.EVNAAZ
----- EOF -----
4. MGADiag
Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->

Validation Code: 0
Cached Online Validation Code: 0x0
Windows Product Key: *****-*****-4THM3-74PDB-4P2KH
Windows Product Key Hash: 88kCx56CIRkBJG3+gKpBHkCTqAA=
Windows Product ID: 00371-OEM-8992671-00137
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 6.1.7601.2.00010100.1.0.048
ID: {895CB453-4133-477F-99C9-B93354167A42}(1)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: Windows 7 Professional
Architecture: 0x00000009
Build lab: 7601.win7sp1_ldr.161007-0600
TTS Error:
Validation Diagnostic:
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002

Windows XP Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
OGAExec.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 109 N/A
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-364-80041010_025D1FF3-229-80041010_025D1FF3-230-1_025D1FF3-517-80040154_025D1FF3-237-80040154_025D1FF3-238-2_025D1FF3-244-80070002_025D1FF3-258-3

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files (x86)\Mozilla Firefox\firefox.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{895CB453-4133-477F-99C9-B93354167A42}</UGUID><Version>1.9.0027.0</Version><OS>6.1.7601.2.00010100.1.0.048</OS><Architecture>x64</Architecture><PKey>*****-*****-*****-*****-4P2KH</PKey><PID>00371-OEM-8992671-00137</PID><PIDType>2</PIDType><SID>S-1-5-21-374155167-3560257060-3864837840</SID><SYSTEM><Manufacturer>TOSHIBA</Manufacturer><Model>PORTEGE Z930</Model></SYSTEM><BIOS><Manufacturer>TOSHIBA</Manufacturer><Version>Version 6.50 </Version><SMBIOSVersion major="2" minor="5"/><Date>20121126000000.000000+000</Date></BIOS><HWID>6DE90400018400FE</HWID><UserLCID>0409</UserLCID><SystemLCID>0C0A</SystemLCID><TimeZone>Hora estándar, América Central(GMT-06:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM><OEMID>TOSHIB</OEMID><OEMTableID>A0082 </OEMTableID></OEM><GANotification/></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Spsys.log Content: 0x80070002

Licensing Data-->
Versión del Servicio de licencias de software: 6.1.7601.17514

Nombre: Windows(R) 7, Professional edition
Descripción: Windows Operating System - Windows(R) 7, OEM_SLP channel
Id. de activación: 50e329f7-a5fa-46b2-85fd-f224e5da7764
Id. de aplicación: 55c92734-d682-4d71-983e-d6ec3f16059f
PID extendido: 00371-00178-926-700137-02-3082-7601.0000-0092013
Id. de instalación: 010196468335868904593374192456289262009520049740700092
URL del certificado de procesador: http://go.microsoft.com/fwlink/?LinkID=88338
URL del certificado de maquina: http://go.microsoft.com/fwlink/?LinkID=88339
URL de la licencia de uso: http://go.microsoft.com/fwlink/?LinkID=88341
URL del certificado de clave de producto: http://go.microsoft.com/fwlink/?LinkID=88340
Clave de producto parcial: 4P2KH
Estado de la licencia: con licencia
Recuento de rearmado de Windows restante: 2
Hora de confianza: 1/30/2017 6:05:18 PM

Windows Activation Technologies-->
HrOffline: 0x00000000
HrOnline: 0x00000000
HealthStatus: 0x0000000000000000
Event Time Stamp: 10:30:2016 18:36
ActiveX: Registered, Version: 7.1.7600.16395
Admin Service: Registered, Version: 7.1.7600.16395
HealthStatus Bitmask Output:


HWID Data-->
HWID Hash Current: LgAAAAAAAgABAAEAAAABAAAAAwABAAEAonawAoa9hEoyGDwcUhPMNGjqDJSWYw==

OEM Activation 1.0 Data-->
N/A

OEM Activation 2.0 Data-->
BIOS valid for OA 2.0: yes
Windows marker version: 0x20001
OEMID and OEMTableID Consistent: yes
BIOS Information:
ACPI Table Name OEMID Value OEMTableID Value
APIC TOSHIB A0082
FACP TOSHIB A0082
HPET TOSHIB A0082
BOOT TOSHIB A0082
MCFG TOSHIB A0082
ASF! TOSHIB A0082
TCPA TOSHIB A0082
MSDM TOSHIB A0082
SLIC TOSHIB A0082
SSDT TOSHIB SataAhci
SSDT TOSHIB SataAhci
SSDT TOSHIB SataAhci
SSDT TOSHIB SataAhci
SSDT TOSHIB SataAhci
FPDT TOSHIB A0082

5. Now, I started IE and it didn't redirected me to another page when I wrote the site in the address bar, but when I clicked, it openen a new window with a popup saying I was a facebook winner and I had to accept my prize. On FF and Chrome it didn't display new windows when I first clicked a page as it was happening before.
willmarpo
Active Member
 
Posts: 3
Joined: January 27th, 2017, 10:00 pm

Re: Impossible to clean onclkds.com infection - with FRST

Unread postby pgmigg » January 31st, 2017, 3:58 pm

Business Use / Illegal software
It appears you are using your computer for business purposes or you used illegal software.

May I draw your attention to the topic: ALL USERS OF THIS FORUM MUST READ THIS FIRST, which you should have read before posting for help.

The section here explains why we do not offer help for such computers. Thank you for your understanding.


This topic is now closed.
User avatar
pgmigg
Admin/Teacher
Admin/Teacher
 
Posts: 5457
Joined: July 8th, 2008, 1:25 pm
Location: GMT-05:00
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 116 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware