Windows 10: I have contracted a Virus that shows many Ads

Accept the terms and click START





Let it download the necessary files





Now, make some modifications to the default scan:
Click on Show Advanced Options and select the following:





For Current Scan Targets, select Change
Select all drives connected to your computer (NOT a DVD drive, of course).

Let the scan run. Delete everything it flags as a problem.

 

Please refer to my previous post where I have added some material.

I'll address all of your suggestions tomorrow.

Thanks again.

 

Yes, sorry about that. I understand your pain. I do this for quite a lot of people all the time, so I am very familiar with the "bleary eyes"!

Not good. I will do some more research on this.

The fact that this has been going on for a week has got me concerned. The www-searching.com is hijackware/spyware that has the possibility to download additional malware in the background.

The method to arrive at the proxy settings for Edge are shown below. However, that is not resetting the browser. But, please check the proxy settings first. I will need the log file from you from running RKILL, so please do that before you do anything else.

No problem. Here is the method for getting to the proxy settings in Edge:

click on the 3 dots, then click on Settings





Scroll down and select Advanced Settings





Then click on Open proxy settings

 

Okay I have found some information on a similar problem - Playthru Player.
We will be using much of the same procedure as they did here, at Bleeping Computer.
Let me say, here is exactly what I want you to do tomorrow:

Create a restore point - name it BEGIN CLEANING

1. Download and run RKILL; post the text file here. Do not reboot.

2. Download and run TDSSKiller (exe version); post the results here.
Here are the instructions from BC:

• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is required, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

If the program wants you to reboot, you may do so, but you will have to run RKILL again before you proceed.

3. Run ADWCleaner again.
Here are the instructions from BC:

Double click on AdwCleaner.exe to run the tool again.

• The tool will start to update the database, please wait a bit.
• Click on the Scan button.
• AdwCleaner will begin to scan your computer like it did before.
• After the scan has finished...
  Click on the Clean button.
• Press OK when asked to close all programs and follow the onscreen prompts.
• Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
• After rebooting, a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.

If the program wants you to reboot, you may do so, but you will have to run RKILL again before you proceed.

4. Run Junkware Removal Tool
Here are instructions from BC:

• Shut down your [anti-virus] protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

If the program wants you to reboot, you may do so, but you will have to run RKILL again before you proceed.

5. Run the ESET Online Scan as per above posts. Also shut down your anti-virus when running this.
Delete everything it finds.

If the program wants you to reboot, you may do so, but you will have to run RKILL again before you proceed.

6. Set another restore point - name it "Prepare to reset browsers"

7. Please then reset all your browsers.

Chrome
Firefox
Internet Explorer Select Delete Personal Settings as well
Edge - (quite complicated-take your time with this one)

8. Verify in Installed Programs that the NowUSeeIt Player is no longer installed.

9. Download and install Malwarebytes Anti-Exploit
This will help protect your browsers against zero-day attacks.

10. post all your reports

Let us know how it goes. We will await your uploaded reports.

EDIT: After reading your reports, if it is clear that we have removed everything completely, I may recommend you install a program called CryptoPrevent, to protect your AppData directory, which is where most of these nasties hide their executables. But, we have to be sure your AppData directory is completely clean, as the program will whitelist everything existing there on the first run, and we don't want it whitelisting anything malicious.

 

This question is a little dumb - have reset r homepage on Edge? I am asking because a lot of times, Malwarebytes, etc. will remove a virus that changes r homepage to a malicious website if try to set it to what want it to be, but the homepage is never reset by the anti-malware program.

Oh, and if can't find anything using ESET, RKill, etc., check out Dr. Web CureIt. It's another free antimalware program.

 

Yes, but he still has an infection:

 

To the OP:

Check out both ZHPCleaner and RogueKiller too alongside the aforementioned AdwCleaner and MBAM.

 

I'm posting what I have done so far.

I don't know if the LogFile Attachments remained attached because the only way I could conclude the attachment process was to click on the X, and there is no indication in my post that there are attachments.

What does BP mean?

1/ I created a System Restore Point: Begin Cleaning

2/ I ran RKill (I attached the LogFile with Attachment.)

3/ Before I could run TDSS Killer, Malwarebytes posted a Notification: it said that threats were detected and that I should run a scan. I ran the scan, and 406 threats were listed, some as potential threats, and 9 as definite threats. I list the 9 definite threats here:
1. NowUSeeIt Player
2. RootKit.Komodia.pup
3. Trojan.Agent
4. RootKit.Agent.A
5. Trojan.Symmi
6. Adware.PennyBee.WnskRST
7. Trojan.Downloader
8. Adware.SilentInstaller
9. Adware.Imali

After I did the Malwarebytes Remove, NowUSeeIt Player was still listed under programs and it still resists being uninstalled.
After I did the Malwarebytes, "Healer Console" did not appear at booting-up.
Also: www-searching.com still appears as the browser when I click on Microsoft Edge. The ************ (r e i m a g e.com) ad still appears in the middle of the screen and when I click on "No," the full-screen ad for some Windows 10 repair software appears.

4/ I then ran TDSS Killer. (I attached the LogFile with Attachment; it's 60 kb long.) The result was that no threats were detected.

I'll start working on the remaining items in the list you sent me.

 

Nothing is attached. Please see instructions here:
Screenshots and Files - Upload and Post in Ten Forums - Windows 10 Forums

Bleeping Computer (Meant to write BC)

Yes,please upload all those logs so I can evaluate. Thanks ;-)

 

@Writer Was MBAM (Malwarebytes) able to successfully remove everything it found or did you get an error?
Did it have you reboot? If so, did you run RKILL once again (everything RKILL does is undone upon reboot).

 

I'll try to attach the LogFiles:
Rkill 2 11-16-2015.docx
TDSS Killer 11-16-2015.docx
I hope that did it; let me know.

Malwarebytes was able to delete "Healer Console," which was listed only as a "potential threat."
Malwarebytes was not able to delete "NowUSeeIt Player," which was listed as a definite threat.
Malwarebytes did not list www-searching.com as a threat, and it still comes up as the browser.

I did not get an error response from Malwarebytes; it said that it had removed all of the threats. I was not able to see all of the threats it had listed; I only knew about "Healer Console" and "NowUSeeIt."

I did reboot after Malwarebytes was finished. I'll post this first, then I'll run RKill again.

I started the scan for "Junk Removal Tool." It ran for about 45 minutes, but was not showing any progress. Does it take that long? The only message I got from the Administrator was the two short lines below:

Checking for Update
An Update was found...Please wait

I'll wait till I hear from you before I start to run Junk Removal Tool again.

 

Here is the latest LogFile for RKill done at 4:10 pm on November 16, 2015

RKill 3 11-16-2015 4.10 pm.docx

Here is the latest LogFile for AdwCleaner done at 4:45 pm on November 16, 2015

AdwCleaner v1 C4.docx

After the AdwCleaner Scan, it performed a "Reboot."

 

Thank you. I will need some time to review the logs. In the meantime, please run Junkware Removal Tool again, and wait a while. It can take some time, depending on your system.

EDIT: Make sure you have first run RKILL and that your A/V is shut off.
Also, please go into MBAM>History>Application Logs>and select SCAN LOG for today's date. Click on it, and select EXPORT in the bottom-left and attach that here as well.
Thanks.

 

You would like that I run the "ESET" Online Scan: Where is this, and what does ESET mean?

Concerning shutting down anti-virus software: This must mean Microsoft Defender; how do I find it?
Is Malwarebytes Anti-Malware also considered to be part of my anti-virus software?

I'll start running Junkware Removal Tool again.

 

ESET instructions begin at the bottom of this post, and continue in my next following post.

Windows Defender: Type Defender in the search box at the bottom left>select Windows Defender Desktop App>click on settings in the top-right; a new window opens called update & security. See "Real-time protection" tick the dot to turn it off. Leave this box open so you can turn it back on when finished.

If JRT doesn't do anything again, after another 30 minutes, just cancel it. The update is probably being blocked by the malware.