Nation Zoom / It is still there

[kuttus]

Go to the following Locations and Delete the Folders call \Google\Chrome.

c:\Program Files\
c:\Program Data\
C:\Users\Niels\AppData\Roaming
C:\Users\Niels\AppData\Local
C:\Users\Administrator\AppData\Roaming
C:\Users\Administrator\AppData\Local


After that reboot the computer and install Google Chrome again.

 

[kuttus]

Once again we shall use FRST for additional checks. Re-run FRST/FRST64 by double-clicking:

• Type wmploc.DLL into the Search: field in FRST then click the Search File(s) button.
• FRST will search your computer for files and when finished it will produce a log Search.txt in the same directory the tool is run.
• Please attach it to your reply.

 

[Niels B]

I did what you said. Attached is the two files. I removed everything that had Google or Chrome in the file name from disk C. I had to download unlocker software to remove the file that couldn´t be deleted. After that there was no trace of Google or Chrome on disk C.
When I reinstalled Google Chrome, the ad-ons I had installed showed up again. The Google server must remember which ad-ons I used previously. It could also mean that Nationzoom comes from the Google server itself. Alternativly Nationzoom could be located in the internet explorer 10 files. I will try to look.
What do you think ?

 

[kuttus]

Do you import settings from Internet Explorer?

 

[Niels B]

no. But bookmarks came automatic too.
This is what i found in history ( details of the element ) :

<a class="device-tab-entry" href="http://www.nationzoom.com/?type=hp&...id=WDCXWD6402AAEX-00Y9A0_WD-WCAW3025996259962" title="" style="background-image: -webkit-image-set(url(chrome://favicon/size/16@1x/http://www.nationzoom.com/?type=hp&...id=WDCXWD6402AAEX-00Y9A0_WD-WCAW3025996259962) 1x);">Nation Zoom</a>

 

[kuttus]

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

---

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  • Update Malwarebytes' Anti-Malware
  • and Launch Malwarebytes' Anti-Malware
• then click Finish.
• If an update is found, it will download and install the latest version.
• When it prompts you to try their 30-day trail, click decline
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

---

 

[Niels B]

Here are the files.
For some reason, the folder Dokuments and settings are locked. I can`t get in. I am locked on the pc as administrator.
I can´t change it, even when I follow instructions.

 

[kuttus]

Please run Run Autoruns and send me the screenshots of the Tab Scheduled Task, Winlogon and Internet Explorer.


To Take Screen Of Your Screen.

1. Press PRINT SCREEN (Print Scr) key on Your Keyboard.
2. Now Open MS Paint
3. Open Paint by clicking the Start button
   
   , clicking All Programs, clicking Accessories, and then clicking Paint.
4. In MS Paint Click Edit, and then click Paste.
5. After this Save the File on your computer by Clicking on File --> Save

Add this Saved File in your next Replay

 

[Niels B]

Here it is.

Kmpfa is a training program for Railway controlers and has nothing to do with Nationzoom.

 

[kuttus]

I need the screenshots of Winlogon & Internet Explorer also.

 

[Niels B]

Screenshot of internet explorer attached.
Winlogon it seems that it is not possible to show on screen.
I don´t have a password to log on the computer.

 

[kuttus]

I mean Winlogon & Internet Explorer tab in AutoRUns....

 

[Niels B]

Sorry, I missed that. Winlogon tap didn´t show anything.

 

[kuttus]

I am looking for Internet Explorer not Explorer tab in AutoRUns....

 

[Niels B]

Was this what you looked fore ?

 

[kuttus]

Please run OTL once agian and update me the new Log.

 

[Niels B]

New OTL Log

 

[kuttus]

STEP 1: Run the below OTL fix

1. Start OTL.exe
2. Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
   
   

   :OTL
   FF - HKLM\Software\MozillaPlugins\@verimatrix.com/ViewRightWeb: C:\Program Files\Verimatrix\ViewRight Web\\npViewRight.dll File not found
   FF - HKLM\Software\MozillaPlugins\adobe.com/AdobeAAMDetect: C:\Program Files\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll File not found
   CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}{google:bookmarkBarPinned}{google:searchClient}{google:sourceId}{google:instantExtendedEnabledParameter}{google:omniboxStartMarginParameter}ie={inputEncoding}
   CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&xssi=t&q={searchTerms}&{google:cursorPosition}{google:zeroPrefixUrl}{google:pageClassification}sugkey={google:suggestAPIKeyParameter},
   CHR - Extension: Google Dokumenter = C:\Users\Niels\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.5_1\
   CHR - Extension: Google Drev = C:\Users\Niels\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\6.3_1\
   CHR - Extension: Google-s\u00F8gning = C:\Users\Niels\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.20_1\
   O3 - HKLM\..\Toolbar: (Contribute Toolbar) - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll File not found
   [2014/01/30 19:15:49 | 000,000,000 | ---D | C] -- C:\Users\Niels\AppData\Local\Babylon
   [2014/01/30 19:15:47 | 000,000,000 | ---D | C] -- C:\Users\Niels\AppData\Roaming\Babylon
   [2014/02/01 13:26:09 | 000,002,241 | ---- | M] () -- C:\Users\Niels\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
   [2014/01/30 19:15:47 | 000,000,000 | ---D | M] -- C:\Users\Niels\AppData\Roaming\Babylon
   
   
   :commands
   [emptytemp]
   [reboot]

   
   NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
3. Then click the Run Fix button at the top
4. Let the program run unhindered, reboot when it is done
5. Attach the new log produced by OTL (C:\_OTL)

 

[Niels B]

Here is the OTL log file.
When I started Google Chrome to send this reply, Nationzoom show up in the usual way.

 

[grelos]

Ma father's PC was infected with it. I tried several tutorials but without success. At the end I was able to get rid of it following this:

http://www.techsupportall.com/how-t...-removal-guide-how-to-remove-nation-zoom-com/

I followed exactly all steps up to nr.5 and then nationzoom was gone. Just to mention that with Malwarebytes (free) only, it was not possible to eliminate it.