Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adobe Flash Player infection/ Malware/ Rootkit ?


  • Please log in to reply
27 replies to this topic

#1 sumospim

sumospim

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 05:09 AM

Hi, i have read several articles about this possibility being a rootkit/malaware/ virus and i am still having isswues on IE9. I do not have the issue on Firefox (my default browser).

 

last night i had "assistance" from an Avira expert but the problem still exists.

 

His work was and i quote " Service: Light scan. Removed remnants of the Bancos Trojan and other P.U.P's. check settings and maintain computer.

 

This morning the issues remain. As far as i can remember (It was in the early hours of the morning). The followng have been ran and please note in no particular order:

 

  • Malwarebytes
  • Hitman Pro
  • EMCO Malware
  • IOBit Malware Fighter
  • tddskiller

 

All scans were coming through as clear

 

Any help/ guidance greatly appreciated.

 

Simon

 

 

 

 



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 05:19 AM

This morning the issues remain.

 

What issues you have?

 

RKILL

  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.

 



#3 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 05:27 AM

Thank you...the issues remain that this adobe flash pop up keeps popping up despite asking not to display; this happens everytime i go to IE

 

Rkill 2.4.7 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 03/28/2013 10:24:57 AM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * No issues found.

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Automatic

 * FontCache => %SystemRoot%\system32\svchost.exe -k LocalService [Incorrect ImagePath]

 * WinDefend => %ProgramFiles(x86)%\Windows Defender\mpsvc.dll [Incorrect ServiceDLL]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * Cannot edit the HOSTS file.
 * Permissions could not be fixed. Use Hosts-perm.bat to fix permissions: http://www.bleepingcomputer.com/download/hosts-permbat/

Program finished at: 03/28/2013 10:25:17 AM
Execution time: 0 hours(s), 0 minute(s), and 19 seconds(s)
 


Edited by sumospim, 28 March 2013 - 05:28 AM.


#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 05:41 AM

Did you update to latest version?

 

Download from here

 

http://www.adobe.com/support/flashplayer/downloads.html

 

Install it and reopen IE



#5 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 05:48 AM

Yes this was done yesterday....



#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 05:50 AM

Thank you...the issues remain that this adobe flash pop up keeps popping up despite asking not to display; this happens everytime i go to IE

 

Which site exactly? Is pop up appearing when you launch IE?

 

AdwCleaner by Xplode - Search for Adware

-------------------
 

  • Please download AdwCleaner by Xplode onto your desktop.
  • Security softwares may flag it as malicious.This is a false positive and can be ignored.
  • Double click on AdwCleaner.exe, select OK, then Run
  • Click on DELETE
  • Click YES if you receive a warning for reboot
  • A logfile will automatically open after the scan has finished
  • Copy and paste the contents in your reply
  • You can find the logfile at C:\AdwCleaner[R1].txt as well


===================================================


Junkware Removal Tooll by thisisu

-------------------
 
  • Please download Junkware Removal Tool and save it to your desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply

 



#7 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 06:16 AM

yep pops up on launching of IE...

 

 

# AdwCleaner v2.115 - Logfile created 03/28/2013 at 11:15:32
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Simon - SIMON-PC
# Boot Mode : Normal
# Running from : C:\Users\Simon\Downloads\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files (x86)\BrowseToSave
Folder Found : C:\Program Files (x86)\Common Files\Speedbit
Folder Found : C:\ProgramData\SoftSafe
Folder Found : C:\ProgramData\Speedbit
Folder Found : C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Folder Found : C:\Users\Simon\AppData\Local\PackageAware
Folder Found : C:\Users\Simon\AppData\LocalLow\Speedbit
Folder Found : C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\n4esb78q.default-1351230439982\jetpack

***** [Registry] *****

Key Found : HKCU\Software\InstallCore
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Found : HKCU\Software\Search Settings
Key Found : HKCU\Software\84de8cb43fba48
Key Found : HKLM\Software\AedgePerformanceBCN
Key Found : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Found : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Found : HKLM\Software\Search Settings
Key Found : HKLM\SOFTWARE\Wow6432Node\84de8cb43fba48
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Found : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Found : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Key Found : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Key Found : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Found : HKLM\SOFTWARE\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtD0F0F0FtD0FtBtCtByBtCtDtA0FzytN0D0Tzu0StByEyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=30754568

-\\ Mozilla Firefox v19.0.2 (en-GB)

File : C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\n4esb78q.default-1351230439982\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Preferences

Found [l.1] : urls_to_restore_on_startup ={"profile": {"content_settings": {"pref_version": 1, "clear_on_exit_migrated": true}, "avatar_index": 0, "exited_cleanly": true, "name": "First user"}, "sync_promo": {"view_count": 2, "startup_count": 2},  "promo": {"ntp_notification_promo": [{"group": 0, "increment": 1, "views": 0, "text": "Have a smartphone or tablet? <a href=\"hxxps://www.google.com/chrome/mobile/?utm_source=chrome&utm_medium=ntp&utm_campaign=ntp-promo\">Get Chrome for Mobile</a>", "max_views": 15, "start": 1356307200.0, "gplus_required": false, "increment_max": 1, "closed": false, "end": 1357689540.0, "increment_frequency": 0, "segment": 1, "num_groups": 1}]},  "countryid_at_install": 18242,  "default_apps_install_state": 3, "session": {"restore_on_startup": 4,  [ "hxxp://www.delta-search.com/?affID=119518&babsrc=HP_ss&mntrId=C20E00FFF0F21271" ]}, "dns_prefetching": {}, "homepage_is_newtabpage": false, "plugins": {"enabled_internal_pdf3": true, "migrated_to_pepper_flash": true, "last_internal_directory": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\23.0.1271.97", "enabled_nacl": true, "plugins_list": [{"path": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\23.0.1271.97\\PepperFlash\\pepflashplayer.dll", "version": "11.5.31.5", "enabled": true, "name": "Shockwave Flash"}, {"path": "internal-remoting-viewer", "version": "", "enabled": true, "name": "Chrome Remote Desktop Viewer"}, {"path": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\23.0.1271.97\\ppGoogleNaClPluginChrome.dll", "version": "", "enabled": true, "name": "Native Client"}, {"path": "C:\\Program Files (x86)\\Google\\Chrome\\Application\\23.0.1271.97\\pdf.dll", "version": "", "enabled": true, "name": "Chrome PDF Viewer"}, {"path": "C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\Browser\\nppdf32.dll", "version": "9.5.2.295", "enabled": true, "name": "Adobe Acrobat"}, {"path": "C:\\Program Files (x86)\\Java\\jre6\\bin\\new_plugin\\npdeployJava1.dll", "version": "6.0.290.11", "enabled": true, "name": "Java Deployment Toolkit 6.0.290.11"}, {"path": "C:\\Program Files (x86)\\Java\\jre6\\bin\\new_plugin\\npjp2.dll", "version": "6.0.290.11", "enabled": true, "name": "Java™ Platform SE 6 U29"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin2.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin3.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin4.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin5.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin6.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\Program Files (x86)\\QuickTime\\plugins\\npqtplugin7.dll", "version": "7.7.3 (1680.64)", "enabled": true, "name": "QuickTime Plug-in 7.7.3"}, {"path": "C:\\PROGRA~2\\MICROS~1\\Office14\\NPAUTHZ.DLL", "version": "14.0.4730.1010", "enabled": true, "name": "Microsoft Office 2010"}, {"path": "C:\\PROGRA~2\\MICROS~1\\Office14\\NPSPWRAP.DLL", "version": "14.0.4761.1000", "enabled": true, "name": "Microsoft Office 2010"}, {"path": "C:\\Program Files (x86)\\Google\\Update\\1.3.21.124\\npGoogleUpdate3.dll", "version": "1.3.21.124", "enabled": true, "name": "Google Update"}, {"path": "C:\\Program Files (x86)\\VideoLAN\\VLC\\npvlc.dll", "version": "2.0.2", "enabled": true, "name": "VLC Web Plugin"}, {"path": "C:\\Program Files (x86)\\Windows Live\\Photo Gallery\\NPWLPG.dll", "version": "14.0.8064.0206_ship.wlx.w3m3 (ship)", "enabled": true, "name": "Windows Live\u00ae Photo Gallery"}, {"path": "C:\\Program Files (x86)\\iTunes\\Mozilla Plugins\\npitunes.dll", "version": "1.0.1.1", "enabled": true, "name": "iTunes Application Detector"}, {"path": "C:\\Windows\\SysWOW64\\Macromed\\Flash\\NPSWF32_11_5_502_135.dll", "version": "11,5,502,135", "enabled": true, "name": "Shockwave Flash"}, {"path": "c:\\Program Files (x86)\\Microsoft Silverlight\\5.1.10411.0\\npctrl.dll", "version": "5.1.10411.0", "enabled": true, "name": "Silverlight Plug-In"}, {"enabled": true, "name": "Adobe Flash Player"}, {"enabled": false, "name": "Adobe Reader"}, {"enabled": true, "name": "Chrome PDF Viewer"}, {"enabled": true, "name": "Chrome Remote Desktop Viewer"}, {"enabled": true, "name": "Google Update"}, {"enabled": true, "name": "Java™"}, {"enabled": true, "name": "Microsoft Office"}, {"enabled": true, "name": "Native Client"}, {"enabled": true, "name": "QuickTime Player"}, {"enabled": true, "name": "Silverlight"}, {"enabled": true, "name": "VLC Web Plugin"}, {"enabled": true, "name": "Windows Live\u00ae Photo Gallery"}, {"enabled": true, "name": "iTunes Application Detector"}]}, "download": {"directory_upgrade": true}, "extensions": {
Found [l.10] : homepage =,ahfgeienlihckogmohjhadlkjgocpleb": {"active_permissions": {"api": ["appNotifications", "management", "webstorePrivate"]}, "app_launcher_ordinal": "n", "page_ordinal": "n"}, "cjpglkicenollcignonpgiafdgfeehoj": {"from_bookmark": false, "ack_external": true, "from_webstore": false, "manifest": {"content_scripts": [{"matches": ["hxxp://*/*", "hxxps://*/*"], "js": ["content_script.js"], "run_at": "document_idle"}], "description": "SpeedDial for Chrome - replace Chrome new tab with your predefined visual bookmarks.", "icons": {"128": "icons/128.png", "32": "icons/32.png", "48": "icons/48.png"}, "chrome_url_overrides": {"newtab": "speeddial.html"}, "baseUrl": "hxxp://start.funmoods.com/results.php?", "name": "SpeedDial", "page_action": {"popup": "popup.html", "icon": "icons/16.png"}, "version": "4.0", "options_page": "speeddial.html#options", "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDRqN9D2z7WOarG6HPbopiFxzXhGGBycI3jvJwPztlgJ6/vTsLX2SLP1xj54If/v/5F6Nz1WHHhOgTgaQ0xCch4ELAluUDnjx/gjtMi1nlw38O+TWcinxlXVVE4zRtd+p6iMxrrhno7LRykN4iyjqhK2RqYrTHbb1LDj4f4vcY/6wIDAQAB", "background_page": "background.html", "update_url": "hxxp://update.funmoods.com/speeddial/update.xml?bu=st", "permissions": ["bookmarks", "tabs", "hxxp://*/*", "hxxps://*/*", "management"]}, "active_permissions": {"scriptable_host": ["hxxp://*/*", "hxxps://*/*"], "api": ["bookmarks", "management", "tabs"], "explicit_host": ["hxxp://*/*", "hxxps://*/*"]}, "state": 1, "location": 3, "path": "cjpglkicenollcignonpgiafdgfeehoj\\4.0_0", "was_installed_by_default": false, "install_time": "13001013336636043"}, "pjkljhegncpnkpknbcohdijeoejaedia": {"from_bookmark": false, "ack_external": true, "from_webstore": true, "app_launcher_ordinal": "y", "manifest": {"description": "Fast, searchable email with less spam.", "default_locale": "en", "icons": {"128": "128.png"}, "app": {"urls": ["*://mail.google.com/mail/ca"], "launch": {"web_url": "hxxps://mail.google.com/mail/ca", "container": "tab"}}, "current_locale": "en_US", "name": "Gmail", "version": "7", "options_page": "hxxps://mail.google.com/mail/ca/#settings", "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB", "update_url": "hxxp://clients2.google.com/service/update2/crx", "permissions": ["notifications"]}, "granted_permissions": {"api": ["notifications"]}, "active_permissions": {"api": ["notifications"]}, "state": 1, "location": 1, "path": "pjkljhegncpnkpknbcohdijeoejaedia\\7_0", "was_installed_by_default": true, "install_time": "13001013347095043", "page_ordinal": "n"}, "coobgpohoikkiipiblmjeljniedjpjpf": {"from_bookmark": true, "ack_external": true, "from_webstore": true, "app_launcher_ordinal": "w", "manifest": {"description": "The fastest way to search the web.", "default_locale": "en", "icons": {"128": "128.png", "32": "32.png", "48": "48.png", "16": "16.png"}, "app": {"urls": ["*://www.google.com/search", "*://www.google.com/webhp", "*://www.google.com/imgres"], "launch": {"web_url": "hxxp://www.google.com/webhp?source=search_app"}}, "current_locale": "en_US", "version": "0.0.0.19", "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIiso3Loy5VJHL40shGhUl6it5ZG55XB9q/2EX6aa88jAxwPutbCgy5d9bm1YmBzLfSgpX4xcpgTU08ydWbd7b50fbkLsqWl1mRhxoqnN01kuNfv9Hbz9dWWYd+O4ZfD3L2XZs0wQqo0y6k64n+qeLkUMd1MIhf6MR8Xz1SOA8pwIDAQAB", "update_url": "hxxp://clients2.google.com/service/update2/crx", "name": "Google Search"}, "state": 1, "location": 1, "path": "coobgpohoikkiipiblmjeljniedjpjpf\\0.0.0.19_0", "was_installed_by_default": true, "install_time": "13001013342359043", "page_ordinal": "n"}, "apdfllckaahabafndbhieahigkjlhalf": {"from_bookmark": false, "ack_external": true, "from_webstore": true, "app_launcher_ordinal": "t", "manifest": {"manifest_version": 2, "description": "Google Drive: create, share and keep all your stuff in one place.", "default_locale": "en_US", "icons": {"128": "128.png"}, "background": {"allow_js_access": false}, "app": {"urls": ["hxxp://docs.google.com/", "hxxp://drive.google.com/", "hxxps://docs.google.com/", "hxxps://drive.google.com/"], "launch": {"web_url": "hxxps://drive.google.com/"}}, "offline_enabled": true, "current_locale": "en_US", "name": "Google Drive", "version": "6.2", "options_page": "hxxps://drive.google.com/settings", "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDIl5KlKwL2TSkntkpY3naLLz5jsN0YwjhZyObcTOK6Nda4Ie21KRqZau9lx5SHcLh7pE2/S9OiArb+na2dn7YK5EvH+aRXS1ec3uxVlBhqLdnleVgwgwlg5fH95I52IeHcoeK6pR4hW/Nv39GNlI/Uqk6O6GBCCsAxYrdxww9BiQIDAQAB", "update_url": "hxxp://clients2.google.com/service/update2/crx", "permissions": ["background", "clipboardRead", "clipboardWrite", "notifications", "unlimitedStorage"]}, "granted_permissions": {"api": ["background", "clipboardRead", "clipboardWrite", "notifications", "unlimitedStorage"]}, "active_permissions": {"api": ["background", "clipboardRead", "clipboardWrite", "notifications", "unlimitedStorage"]}, "state": 1, "location": 1, "path": "apdfllckaahabafndbhieahigkjlhalf\\6.2_0", "was_installed_by_default": true, "install_time": "13001013340769043", "page_ordinal": "n"}, "blpcfgokakmgnkcojhhkbfbldkacnbeo": {"from_bookmark": true, "ack_external": true, "from_webstore": true, "app_launcher_ordinal": "x", "manifest": {"description": "The world's most popular online video community.", "default_locale": "en", "icons": {"128": "128.png"}, "app": {"launch": {"web_url": "hxxp://www.youtube.com/", "container": "tab"}, "web_content": {"origin": "hxxp://www.youtube.com", "enabled": true}}, "current_locale": "en_US", "name": "YouTube", "version": "4.2.5", "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDC/HotmFlyuz5FaHaIbVBhhL4BwbcUtsfWwzgUMpZt5ZsLB2nW/Y5xwNkkPANYGdVsJkT2GPpRRIKBO5QiJ7jPMa3EZtcZHpkygBlQLSjMhdrAKevpKgIl6YTkwzNvExY6rzVDzeE9zqnIs33eppY4S5QcoALMxuSWlMKqgFQjHQIDAQAB", "update_url": "hxxp://clients2.google.com/service/update2/crx", "permissions": ["appNotifications"]}, "granted_permissions": {"api": ["appNotifications"]}, "active_permissions": {"api": ["appNotifications"]}, "state": 1, "location": 1, "path": "blpcfgokakmgnkcojhhkbfbldkacnbeo\\4.2.5_0", "was_installed_by_default": true, "install_time": "13001013346128043", "page_ordinal": "n"}}}, "distribution": {"import_search_engine": false, "make_chrome_default_for_user": true},  "hxxp://www.delta-search.com/?affID=119518&babsrc=HP_ss&mntrId=C20E00FFF0F21271", "net": {"hxxp_server_properties": {"version": 1, "servers": {"googleads.g.doubleclick.net:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "fls.doubleclick.net:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "www.googleadservices.com:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "ssl.gstatic.com:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "cm.g.doubleclick.net:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "ssl.google-analytics.com:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "fonts.googleapis.com:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "apis.google.com:443": {"supports_spdy": true, "settings": {"5": 45, "4": 100, "6": 0}}, "www.google.com:443": {"supports_spdy": true, "settings": {"5": 54, "4": 100, "6": 0}}, "www.google.co.uk:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}, "themes.googleusercontent.com:443": {"supports_spdy": true, "settings": {"5": 59, "4": 100, "6": 0}}, "tools.google.com:443": {"supports_spdy": true, "settings": {"5": 32, "4": 100, "6": 0}}}}}, "browser": {"last_prompted_google_url": "hxxp://www.google.co.uk/", "window_placement": {"right": 1060, "work_area_bottom": 728, "bottom": 718, "top": 10, "work_area_top": 0, "maximized": true, "work_area_left": 0, "left": 10, "work_area_right": 1366}, "last_known_google_url": "hxxp://www.google.co.uk/,

*************************

AdwCleaner[R1].txt - [20573 octets] - [28/03/2013 10:52:18]
AdwCleaner[R2].txt - [16556 octets] - [28/03/2013 11:15:32]

########## EOF - C:\AdwCleaner[R2].txt - [16617 octets] ##########
 

 

 

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.7.3 (03.23.2013:1)
OS: Windows 7 Home Premium x64
Ran by Simon on 28/03/2013 at 10:55:09.96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Successfully stopped: [Service] application updater
Successfully deleted: [Service] application updater



~~~ Registry Values

Successfully deleted: [Registry Value] hkey_local_machine\software\microsoft\windows\currentversion\run\\searchsettings



~~~ Registry Keys

Successfully deleted: [Registry Key] hkey_local_machine\software\application updater
Successfully deleted: [Registry Key] hkey_local_machine\software\conduit
Successfully deleted: [Registry Key] hkey_local_machine\software\freeze.com
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\crossrider
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\pricegong
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\software\search settings
Successfully deleted: [Registry Key] hkey_current_user\software\appdatalow\sprotector
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\funmoodslatest_rasapi32
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\funmoodslatest_rasmancs
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\giant savings_rasapi32
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\giant savings_rasmancs
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\mybabylontb_rasapi32
Successfully deleted: [Registry Key] hkey_local_machine\software\microsoft\tracing\mybabylontb_rasmancs
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sp global
Successfully deleted: [Registry Key] hkey_local_machine\software\wow6432node\sprotector



~~~ Files

Successfully deleted: [File] "C:\Users\Simon\appdata\local\funmoods-speeddial.crx"



~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\babylon"
Successfully deleted: [Folder] "C:\ProgramData\browser manager"
Successfully deleted: [Folder] "C:\ProgramData\installmate"
Successfully deleted: [Folder] "C:\ProgramData\partner"
Successfully deleted: [Folder] "C:\ProgramData\premium"
Successfully deleted: [Folder] "C:\ProgramData\tarma installer"
Successfully deleted: [Folder] "C:\Users\Simon\AppData\Roaming\coupons"
Successfully deleted: [Folder] "C:\Users\Simon\AppData\Roaming\opencandy"
Successfully deleted: [Folder] "C:\Users\Simon\AppData\Roaming\registry mechanic"
Successfully deleted: [Folder] "C:\Users\Simon\appdata\local\conduit"
Successfully deleted: [Folder] "C:\Users\Simon\appdata\local\ilivid player"
Successfully deleted: [Folder] "C:\Users\Simon\appdata\local\opencandy"
Successfully deleted: [Folder] "C:\Users\Simon\appdata\locallow\conduit"
Successfully deleted: [Folder] "C:\Users\Simon\appdata\locallow\search settings"
Successfully deleted: [Folder] "C:\Program Files (x86)\application updater"
Successfully deleted: [Folder] "C:\Program Files (x86)\free offers from freeze.com"
Successfully deleted: [Folder] "C:\Program Files (x86)\Common Files\spigot"
Successfully deleted: [Folder] "C:\Users\Simon\AppData\Roaming\microsoft\windows\start menu\programs\rivalgaming"
Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ FireFox

Successfully deleted: [File] C:\user.js
Successfully deleted: [File] C:\Users\Simon\AppData\Roaming\mozilla\firefox\profiles\n4esb78q.default-1351230439982\user.js
Successfully deleted: [File] C:\Users\Simon\AppData\Roaming\mozilla\firefox\profiles\n4esb78q.default-1351230439982\searchplugins\delta.xml
Successfully deleted the following from C:\Users\Simon\AppData\Roaming\mozilla\firefox\profiles\n4esb78q.default-1351230439982\prefs.js

user_pref("aol_toolbar.default.homepage.check", false);
user_pref("aol_toolbar.default.search.check", false);
user_pref("extensions.BabylonToolbar.prtkDS", 0);
user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
user_pref("extensions.booly.shopping_supportedcdoms", "101inks|101inks.com,123-reg|123-reg.co.uk,123inkjets|123inkjets.com,123posters|123posters.com,123refills|123refills.net,
user_pref("extensions.booly.shopping_supporteddoms", "amazon.co.uk,amazon.com,ebay.co.uk,ebay.com,groupon.co.uk,groupon.com,blackfriday,cybermonday,1-acp.com,1000bulbs.com,101
user_pref("extensions.delta.admin", false);
user_pref("extensions.delta.aflt", "babsst");
user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
user_pref("extensions.delta.autoRvrt", "false");
user_pref("extensions.delta.dfltLng", "en");
user_pref("extensions.delta.excTlbr", false);
user_pref("extensions.delta.id", "c20e03f900000000000000fff0f21271");
user_pref("extensions.delta.instlDay", "15787");
user_pref("extensions.delta.instlRef", "sst");
user_pref("extensions.delta.newTab", false);
user_pref("extensions.delta.prdct", "delta");
user_pref("extensions.delta.prtnrId", "delta");
user_pref("extensions.delta.rvrt", "false");
user_pref("extensions.delta.smplGrp", "none");
user_pref("extensions.delta.tlbrId", "base");
user_pref("extensions.delta.tlbrSrchUrl", "");
user_pref("extensions.delta.vrsn", "1.8.10.0");
user_pref("extensions.delta.vrsnTs", "1.8.10.09:21:04");
user_pref("extensions.delta.vrsni", "1.8.10.0");
user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
user_pref("sweetim.toolbar.searchguard.enable", "");
Emptied folder: C:\Users\Simon\AppData\Roaming\mozilla\firefox\profiles\n4esb78q.default-1351230439982\minidumps [8 files]



~~~ Chrome

Failed to delete: [Folder] C:\Users\Simon\appdata\local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 28/03/2013 at 11:13:38.43
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 06:27 AM

You need to click on DELETE for Adware cleaner ,post the new log

 

Restart the PC

 

yep pops up on launching of IE...

 

Can you post a screenshot?



#9 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 06:39 AM

Sorry can't see how to add a screenshot...sorry

 

 

# AdwCleaner v2.115 - Logfile created 03/28/2013 at 11:30:53
# Updated 17/03/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Simon - SIMON-PC
# Boot Mode : Normal
# Running from : C:\Users\Simon\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Deleted on reboot : C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Extensions\cjpglkicenollcignonpgiafdgfeehoj
Folder Deleted : C:\Program Files (x86)\BrowseToSave
Folder Deleted : C:\Program Files (x86)\Common Files\Speedbit
Folder Deleted : C:\ProgramData\SoftSafe
Folder Deleted : C:\ProgramData\Speedbit
Folder Deleted : C:\Users\Simon\AppData\Local\PackageAware
Folder Deleted : C:\Users\Simon\AppData\LocalLow\Speedbit
Folder Deleted : C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\n4esb78q.default-1351230439982\jetpack

***** [Registry] *****

Key Deleted : HKCU\Software\InstallCore
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKCU\Software\Search Settings
Key Deleted : HKCU\Software\84de8cb43fba48
Key Deleted : HKLM\Software\AedgePerformanceBCN
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{5B1881D1-D9C7-46DF-B041-1E593282C7D0}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}
Key Deleted : HKLM\Software\Search Settings
Key Deleted : HKLM\SOFTWARE\Wow6432Node\84de8cb43fba48
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A9379648-F6EB-4F65-A624-1C10411A15D0}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F16AB1DB-15C0-4456-A29E-4DF24FB9E3D2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}
Key Deleted : HKLM\SOFTWARE\Tarma Installer

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16470

Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - Start Page] = hxxp://start.funmoods.com/?f=1&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtD0F0F0FtD0FtBtCtByBtCtDtA0FzytN0D0Tzu0StByEyCtN1L2XzutBtFtCtFtCtFtAtCtB&cr=30754568 --> hxxp://www.google.com

-\\ Mozilla Firefox v19.0.2 (en-GB)

File : C:\Users\Simon\AppData\Roaming\Mozilla\Firefox\Profiles\n4esb78q.default-1351230439982\prefs.js

[OK] File is clean.

-\\ Google Chrome v25.0.1364.172

File : C:\Users\Simon\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.1] : urls_to_restore_on_startup ={"profile": {"content_settings": {"pref_version": 1, "clear_on_exit_migrated": true}, "avatar_index"[...]
Deleted [l.10] : homepage =,ahfgeienlihckogmohjhadlkjgocpleb": {"active_permissions": {"api": ["appNotifications", "management"[...]

*************************

AdwCleaner[R1].txt - [20573 octets] - [28/03/2013 10:52:18]
AdwCleaner[R2].txt - [16671 octets] - [28/03/2013 11:15:32]
AdwCleaner[R3].txt - [16732 octets] - [28/03/2013 11:30:25]
AdwCleaner[S1].txt - [3867 octets] - [28/03/2013 11:30:53]

########## EOF - C:\AdwCleaner[S1].txt - [3927 octets] ##########
 



#10 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 06:47 AM

Thats ok,are you still having the pop up?

 

Follow this guide to reset Internet explorer and see if it helps

 

http://support.microsoft.com/kb/923737



#11 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 06:52 AM

reset and agggghhhh yep popup still appearing....



#12 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 06:55 AM

Click on start menu and type

 

snipping tool and press <ENTER>

 

Capture the pop up and upload it to http://tinypic.com/index.php and and post the link here.

 

Can you watch youtube videos?



#13 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 07:10 AM

yep youtube is fine...

 

http://tinypic.com/r/vrsj9z/6



#14 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:04:24 AM

Posted 28 March 2013 - 07:18 AM

Run this fixit

 

http://go.microsoft.com/?linkid=9646978

 

Restart the PC,any changes?

 

ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    esetsmartinstaller_enu.png

    • Click on to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button

 

 

===================================================

Autoruns
 

  • Please download AutoRuns and save it to your desktop
  • Double click the AutoRuns.zip folder
  • Double click autoruns.exe (not autorunsc.exe), select Run, then Run again and allow the information to populate
  • Select File, Save, Desktop (in the left hand pane), then Save filename as Autoruns.txt and change Save as type to  Text(*.txt).
  • Double click on the text file,copy and paste the contents in your reply

Edited by narenxp, 28 March 2013 - 07:19 AM.


#15 sumospim

sumospim
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:09:24 AM

Posted 28 March 2013 - 07:31 AM

no change; just doing the Eset and then will run Autoruns and then will report back on both

 

thanks so much for your continued help....






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users