A virus and trojan?

aaroncaz

I was trying to reinstall the google toolbar and have manged to install something called omega plus which is making avast go crazy, how can i get rid of it please, trying to unistall it but not working.

tavernman

aaroncaz wrote: »

I was trying to reinstall the google toolbar and have manged to install something called omega plus which is making avast go crazy, how can i get rid of it please, trying to unistall it but not working.

Sorry but why , go back to square one and re-run adwarecleaner, and post the log please

aaroncaz

# AdwCleaner v4.107 - Report created 16/01/2015 at 22:57:56
# Updated 07/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 8.1 (64 bits)
# Username : Aaroncaz - CAROLAARON
# Running from : C:\Users\Aaroncaz\AppData\Local\Microsoft\Windows\INetCache\IE\ZKVFO2IF\adwcleaner_4.107.exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Deleted : C:\Users\Aaroncaz\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
***** [ Scheduled Tasks ] *****
Task Deleted : Searchya
***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Deleted : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ams1.ib.adnxs.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\fra1.ib.adnxs.com
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17416

-\\ Mozilla Firefox v34.0.5 (x86 en-GB)

-\\ Google Chrome v39.0.2171.99
[C:\Users\Aaroncaz\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://uk.ask.com/web?q={searchTerms}
*************************
AdwCleaner[R0].txt - [1738 octets] - [16/01/2015 22:54:07]
AdwCleaner[S0].txt - [1675 octets] - [16/01/2015 22:57:56]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1735 octets] ##########
# AdwCleaner v4.108 - Report created 18/01/2015 at 19:24:19
# Updated 17/01/2015 by Xplode
# Database : 2015-01-13.2 [Live]
# Operating System : Windows 8.1 (64 bits)
# Username : Aaroncaz - CAROLAARON
# Running from : C:\Users\Aaroncaz\Downloads\adwcleaner_4.108.exe
# Option : Clean
***** [ Services ] *****
Service Deleted : WindowsMangerProtect
Service Deleted : IHProtect Service
Service Deleted : Internet Enhancer Service
***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\WindowsMangerProtect
Folder Deleted : C:\ProgramData\IHProtectUpDate
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Super Optimizer
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WaInterEnhance
Folder Deleted : C:\Program Files (x86)\Wajam
Folder Deleted : C:\Program Files (x86)\Super Optimizer
Folder Deleted : C:\Program Files (x86)\XTab
Folder Deleted : C:\Program Files (x86)\WaInterEnhance
Folder Deleted : C:\Users\Aaroncaz\AppData\Roaming\omiga-plus
Folder Deleted : C:\Users\Aaroncaz\AppData\Roaming\Super Optimizer
Folder Deleted : C:\Users\Aaroncaz\Documents\Super Optimizer
Folder Deleted : C:\Users\Aaroncaz\AppData\Roaming\Mozilla\Firefox\Profiles\0mzgkl4v.default\Extensions\faststartff@gmail.com
Folder Deleted : C:\Users\Aaroncaz\AppData\Roaming\Mozilla\Firefox\Profiles\0mzgkl4v.default\Extensions\fftoolbar2014@etech.com
File Deleted : C:\Users\Aaroncaz\Desktop\Super Optimizer.lnk
File Deleted : C:\Users\Aaroncaz\AppData\Roaming\Mozilla\Firefox\Profiles\0mzgkl4v.default\searchplugins\omiga-plus.xml
***** [ Scheduled Tasks ] *****
Task Deleted : Searchya
Task Deleted : Super Optimizer Schedule
***** [ Shortcuts ] *****
Shortcut Disinfected : C:\Users\Public\Desktop\Google Chrome.lnk
Shortcut Disinfected : C:\Users\Public\Desktop\Mozilla Firefox.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
Shortcut Disinfected : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome\Google Chrome.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
Shortcut Disinfected : C:\Users\Aaroncaz\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Mozilla Firefox.lnk
***** [ Registry ] *****
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [faststartff@gmail.com]
Value Deleted : HKLM\SOFTWARE\Mozilla\Firefox\Extensions [fftoolbar2014@etech.com]
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
Key Deleted : HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\WindowsMangerProtect
Key Deleted : HKCU\Software\Mozilla\Extends
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\Google Chrome\shell\open\command
Data Restored : HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}
Key Deleted : HKCU\Software\WajIEnhance
Key Deleted : HKCU\Software\WaInterEnhance
Key Deleted : HKCU\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{1146AC44-2F03-4431-B4FD-889BC837521F}
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{6791A2F3-FC80-475C-A002-C014AF797E9C}
Key Deleted : HKLM\SOFTWARE\omiga-plusSoftware
Key Deleted : HKLM\SOFTWARE\SupDp
Key Deleted : HKLM\SOFTWARE\supWindowsMangerProtect
Key Deleted : HKLM\SOFTWARE\IHProtect
Key Deleted : HKLM\SOFTWARE\WaInterEnhance
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\omiga-plus uninstall
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Super Optimizer_is1
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WaInterEnhance
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\isearch.omiga-plus.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\omiga-plus.com
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.17416
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : HKCU\Software\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
Setting Restored : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Search_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Default_Page_URL]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Search Page]
Setting Restored : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page]
-\\ Mozilla Firefox v34.0.5 (x86 en-GB)
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.newtab.url", "chrome://quick_start/content/index.html");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename", "omiga-plus");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.searchengine.alias", "omiga-plus");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.searchengine.iconURL", "hxxp://isearch.omiga-plus.com/favicon.ico");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.searchengine.name", "omiga-plus");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.searchengine.url", "hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1421607892&from=air&uid=HitachiXHTS545050A7E380_TA85113VCSDZJNCSDZJNX&q={searchTerms}");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "omiga-plus");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("browser.startup.homepage", "hxxp://isearch.omiga-plus.com/?type=hp&ts=1421607892&from=air&uid=HitachiXHTS545050A7E380_TA85113VCSDZJNCSDZJNX");
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.enable_search1", false);
[0mzgkl4v.default\prefs.js] - Line Deleted : user_pref("extensions.quick_start.sd.closeWindowWithLastTab_prev_state", false);
-\\ Google Chrome v39.0.2171.99
[C:\Users\Aaroncaz\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1421607892&from=air&uid=HitachiXHTS545050A7E380_TA85113VCSDZJNCSDZJNX&q={searchTerms}
[C:\Users\Aaroncaz\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://isearch.omiga-plus.com/web/?type=ds&ts=1421607892&from=air&uid=HitachiXHTS545050A7E380_TA85113VCSDZJNCSDZJNX&q={searchTerms}
*************************
AdwCleaner[R0].txt - [10833 octets] - [16/01/2015 22:54:07]
AdwCleaner[S0].txt - [9932 octets] - [16/01/2015 22:57:56]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [9992 octets] ##########

aaroncaz

Ok sorry abt that . Stupid me, it seems to have gone but now when I open a new tab/page it says google Greece.

tavernman

OK download FRST (64 bit version) http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Just press the Scan button

And post the FRST.txt and the Addition.txt (separate posts please.

aaroncaz

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.1 (12.28.2014:1)
OS: Windows 8.1 x64
Ran by Aaroncaz on 18/01/2015 at 19:50:50.17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



~~~ Services


~~~ Registry Values


~~~ Registry Keys


~~~ Files
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLE TOOLBAR SETUP.EXE-ED3150A9.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLETOOLBAR.EXE-96990390.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLETOOLBARINSTALLER_EN_SIG-8BE1B91F.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLETOOLBARMANAGER_8CA8B414-D855646C.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLETOOLBARNOTIFIER.EXE-B25C45A8.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\GOOGLETOOLBARUSER_32.EXE-992C17DF.pf
Successfully deleted: [File] C:\WINDOWS\prefetch\ASKUQYQWRD.EXE-FD3A5EE9.pf


~~~ Folders


~~~ Event Viewer Logs were cleared




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 18/01/2015 at 19:55:49.70
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

aaroncaz

it wont let me post text, moneysving expert.

aaroncaz

says my request has been blocked.

tavernman

aaroncaz wrote: »

says my request has been blocked.

Forum being a git again it's usually either the http or the system32 bits its objecting to , give me a moment

GT60

Thanks to Tavernman I am learning off this
rightly or wrongly I would have also delete the virus's etc through programme files x86 and regedit too