Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Craigslist infecting my browser with adware?


  • Please log in to reply
12 replies to this topic

#1 MysticDragon

MysticDragon

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 06 December 2013 - 12:53 AM

Hello all you generous helpers! ;)

 

I bought this laptop about four months ago after my old one crapped out.  This one is running the Windows 8 and is 64 bit.  It's a Dell Inspriron 15.

 

I have been having issues the past few days every time I visit craigslist.  It seems that some sort of program/adware gets loaded in constantly every time I visit.  My AVG IS 2014 doesn't seem to pick anything up and so I have had to scan with MBAM every night before I shut down or the next time I log on I have issues with booting.  I also picked up that irritating Delta Search thing back about a month ago when the computer did an auto update of windows! 

 

I use cCleaner every night before I shut down but I'm sure I don't have it set up properly to catch everything as I cannot remember what options to select but it still removes about 200+ Mb of files nightly!

 

I am still noticing strange things with my browser however.  Even after scanning with MBAM and removing the issues it finds there's still slow loading of most pages.  I am using Firefox and it is updated.

 

I know we're only supposed to ask one question per post but I'd also like to know if there's anything else I can do to maintain the computer's like new state other than running ccleaner every night?

 

Thanks in advance for any and all help.

MD



BC AdBot (Login to Remove)

 


#2 KingdomSeeker

KingdomSeeker

  • Members
  • 458 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:26 AM

Posted 06 December 2013 - 01:33 AM

The specs of your computer would help. Please go to this website http://winhelp2002.mvps.org/hosts.htm. Read the special instructions for Windows 8. Download the hostfile. When you unzip it run the MVPS file and it'll add millions of rouge websites to your registry. This will protect you from Craigslist ads. This is called the hostfile. Every time you try to access a website Windows searches the hostfile to see if it's safe. If it isn't it blocks the ad from loading.

 

Try downloading a different browser such as Chrome, Opera, or Comodo Ice Dragon. Test the download speeds compared to FF. The latest update of Firefox made it unusable basically for me. I went from 1.5 MBS to 38kbs. The problemmay be firefox. Try an alternative and compare.



#3 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 06 December 2013 - 04:04 AM

Hello Dragon -

I am using Firefox and it is updated.

I know we're only supposed to ask one question per post but I'd also like to know if there's anything else I can do to maintain the computer's like new state other than running ccleaner every night?

You can ask what-ever you like about the computer

Print out, or save these instructions to Notepad (or similar) -

 

Always remember that Firefox is an Add-on program, while your default is Internet Explorer 10 or 11 -

 

Clear the Temp File Cache - This program is specific and deeper than CCleaner

Please download Temp File Cleaner by Old Timer
Usage Instructions:

  • Download TFC from the download link above and save the file on your desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon or Right click and select Run as Administrator
  • When the program opens, click on the Start button. 
  • TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK and reboot your computer and finish the cleanup.

 

 

Next -

Download Security Check by Screen317 from HERE
* Save it to your Desktop.
* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: If any security program requests permission to access the Internet, allow it to do so.

 

Next -

Please download and run RKill by Grinler. A black DOS box will briefly flash and then disappear.
This is normal and indicates the tool ran successfully.
If a log is produced, save it, or post it back here -

Important: Do not reboot your computer until you complete the next step.

 

Please download AdwCleaner by Xplode and save to your Desktop.
* Double-click on AdwCleaner.exe to run the tool.
* Vista/Windows 7/8 users right-click and select Run As Administrator.
* Click on the Scan button. (only once)
* AdwCleaner will begin...be patient as the scan may take some time to complete.
* After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
NOW - * Click on the Clean button. (only once)
* Press OK when asked to close all programs and follow the onscreen prompts.
* Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
* After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
* Copy and paste the contents of that logfile in your next reply.
* A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Next -

You said that you have Malwarebytes Anti-Malware installed.

Update the program to the latest version, and then run a Full Scan.

Please post the results ot that scan back here -

 

Last -

Please scan your computer with ESET Online Scanner
Read How To Temporarily Disable Your Anti-virus
This scan is best performed with Internet Explorer, as it uses ActiveX
If you will not use Internet Explorer, then please read item 3 in this post
1 - Open Internet Explorer and hold down Control (Ctrl) key and click on This Link to open ESET OnlineScan in a new window.
2 - Click the ESET Online Scanner button.

Vista Windows 7 & 8 users may need to Right click on this and select Run as Administrator
3 - For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- a - Click on eset.exe to download the ESET Smart Installer. Save it to your desktop.
- b - Double click on the  icon on your desktop.
4 - Check "YES, I accept the Terms of Use."
5 - Click the Start button.
6 - Accept any security warnings from your browser.
7 - Under scan settings, check "Scan Archives" and "Remove found threats"
8 - Click Advanced settings and then select the following:

* Scan potentially unwanted applications
* Scan for potentially unsafe applications
* Enable Anti-Stealth technology

9 - ESET will then download updates for itself, install itself, and begin scanning your computer.
10 - Please be patient as this will take some time (first time scans are always longer).
11 - When the scan completes, click List Threats
12 - Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
13 - Click the Back button and then Click the Finish button.
NOTE:Sometimes if ESET finds no infections it will not create a log.
If you lose the log it can be found at C:\Program Files\ESET\EsetOnlineScanner\log.txt
If no infections are found then please tell me -
You can ignore any ESET detection of AdwCleaner...it is a false positive detection.

 

Thank You -


Edited by noknojon, 06 December 2013 - 04:06 AM.


#4 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 02:20 AM

Phew!  Those scans took a long time LOL

 

Anyways, I followed your directions and I'll post the logs you requested as individual replies just to keep them separate.

 

First, here's the results from Security Check:

 

 Results of screen317's Security Check version 0.99.77 
   x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG Internet Security 2014  
Windows Defender            
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300 
 Adobe Flash Player  11.9.900.117 
 Mozilla Firefox (25.0.1)
````````Process Check: objlist.exe by Laurent```````` 
 AVG avgwdsvc.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````
 



#5 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 02:21 AM

Next was the RKill results:

 

Rkill 2.6.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/06/2013 11:11:58 PM in x64 mode.
Windows Version: Windows 8

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]

Backup Registry file created at:
 C:\Users\mysti_000\Desktop\rkill\rkill-12-06-2013-11-12-03.reg

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * HdAudAddService [Missing Service]

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/06/2013 11:12:56 PM
Execution time: 0 hours(s), 0 minute(s), and 57 seconds(s)



#6 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 02:23 AM

AdwCleaner:

 

# AdwCleaner v3.014 - Report created 06/12/2013 at 23:18:28
# Updated 01/12/2013 by Xplode
# Operating System : Windows 8  (64 bits)
# Username : mysti_000 - CHERYL
# Running from : C:\Users\mysti_000\Desktop\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Babylon
Folder Deleted : C:\ProgramData\BitGuard
Folder Deleted : C:\ProgramData\DSearchLink
Folder Deleted : C:\Program Files (x86)\Delta
Folder Deleted : C:\Users\mysti_000\AppData\Roaming\ValueApps
Folder Deleted : C:\Users\mysti_000\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitGuard
File Deleted : C:\Users\mysti_000\AppData\Roaming\Mozilla\Firefox\Profiles\8j61wo38.default\bprotector_extensions.sqlite
File Deleted : C:\Users\mysti_000\AppData\Roaming\Mozilla\Firefox\Profiles\8j61wo38.default\bprotector_prefs.js
File Deleted : C:\Users\mysti_000\AppData\Roaming\Mozilla\Firefox\Profiles\8j61wo38.default\user.js
File Deleted : C:\Windows\System32\Tasks\EPUpdater

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\Prod.cap
Key Deleted : HKCU\Software\5228b8ab13def13
Key Deleted : HKLM\SOFTWARE\5228b8ab13def13
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{39CB8175-E224-4446-8746-00566302DF8D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{007EFBDF-8A5D-4930-97CC-A4B437CBA777}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{F63AAEDC-3602-49EF-AA45-262380A98980}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Softonic
Key Deleted : HKLM\Software\DataMngr
Key Deleted : HKLM\Software\Delta

***** [ Browsers ] *****

-\\ Internet Explorer v10.0.9200.16537

-\\ Mozilla Firefox v25.0.1 (en-US)

[ File : C:\Users\mysti_000\AppData\Roaming\Mozilla\Firefox\Profiles\8j61wo38.default\prefs.js ]

Line Deleted : user_pref("extensions.delta.admin", false);
Line Deleted : user_pref("extensions.delta.aflt", "babsst");
Line Deleted : user_pref("extensions.delta.appId", "{C26644C4-2A12-4CA6-8F2E-0EDE6CF018F3}");
Line Deleted : user_pref("extensions.delta.autoRvrt", "false");
Line Deleted : user_pref("extensions.delta.dfltLng", "en");
Line Deleted : user_pref("extensions.delta.excTlbr", false);
Line Deleted : user_pref("extensions.delta.ffxUnstlRst", true);
Line Deleted : user_pref("extensions.delta.id", "94ec513b00000000000000ff605d8f8c");
Line Deleted : user_pref("extensions.delta.instlDay", "15992");
Line Deleted : user_pref("extensions.delta.instlRef", "sst");
Line Deleted : user_pref("extensions.delta.newTab", false);
Line Deleted : user_pref("extensions.delta.prdct", "delta");
Line Deleted : user_pref("extensions.delta.prtnrId", "delta");
Line Deleted : user_pref("extensions.delta.rvrt", "false");
Line Deleted : user_pref("extensions.delta.smplGrp", "none");
Line Deleted : user_pref("extensions.delta.tlbrId", "base");
Line Deleted : user_pref("extensions.delta.tlbrSrchUrl", "");
Line Deleted : user_pref("extensions.delta.vrsn", "1.8.24.6");
Line Deleted : user_pref("extensions.delta.vrsnTs", "1.8.24.616:05:51");
Line Deleted : user_pref("extensions.delta.vrsni", "1.8.24.6");
Line Deleted : user_pref("extensions.delta_i.babExt", "");
Line Deleted : user_pref("extensions.delta_i.babTrack", "affID=125361&tsp=5035");
Line Deleted : user_pref("extensions.delta_i.srcExt", "ss");

*************************

AdwCleaner[R0].txt - [4229 octets] - [06/12/2013 23:15:30]
AdwCleaner[S0].txt - [4185 octets] - [06/12/2013 23:18:28]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4245 octets] ##########



#7 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 02:24 AM

MBAM results:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.12.07.02

Windows 8 x64 NTFS
Internet Explorer 10.0.9200.16736
mysti_000 :: CHERYL [administrator]

12/6/2013 11:26:00 PM
mbam-log-2013-12-06 (23-26-00).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 378606
Time elapsed: 54 minute(s), 5 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



#8 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 02:29 AM

And finally, the ESET online scan results:

 

C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A application cleaned by deleting - quarantined

 

I noticed that there wasn't too many serious threats detected thank goodness but there were more than I originally thought.  I followed the instructions on that Delta Search website about how to erase it but apparently it left behind some files.

 

So, am I to assume that the cCleaner isn't as good as I originally thought and I should be using the TFC program?  Or would CCleaner be good enough for a nightly scan and use the TFC program on a regular basis say weekly or something like that?

 

TIA for all your help, let's hope I can keep this laptop clean for the long haul :D

ttfn

MD
 



#9 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 07 December 2013 - 04:05 AM

Hi -

TFC (Temp File Cleaner) is a dedicated program for the cleaning of the Temp File Cache.

For this reason, I do find it is better for the job. I use it daily -

 

AdwCleaner seems to have removed the remainder of your problem, so you should be OK now -

Re-open AdwCleaner, and hit the Uninstall button to remove any items in quarantine and the program. As it can not be updated you install it each time it is needed.

Security Check and Rkill can be Right click => Deleted now -

ESET can just "hide" in programs if it is ever needed again, and will not harm anything, and if you keep AVG Internet Security, always make sure it is updated and scanning.

 

Always Update Malwarebytes Anti-Malware prior to a scan (at least once a week)

 

Good Luck, and if you have other questions, please ask them -



#10 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 05:54 PM

Thanks for the advice! :D

 

I do have another question if you don't mind.  With CCleaner, what boxes should I have ticked in order to get the best clean possible?  I am not sure which ones I need to have checked and which ones I don't have to.  If you'd like I can get a screen cap of the way it's set up now?

 

ETA: I forgot about one other thing I would like to know.  When I first boot up my laptop I notice that it connects to the wifi before my AVG taskbar icon appears.. does this mean that I am connected to the internet BEFORE AVG is active?  I've also noticed that while AVG is updating I will get warnings that certain security apps aren't currently active so I'm wondering if I'm vulnerable to an attack during the short time those are deactivated while updating or not.

 

Thanks again,

MD


Edited by MysticDragon, 07 December 2013 - 05:58 PM.


#11 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 07 December 2013 - 06:37 PM

Second answer is easier - You are On Line once you open a Browser or On Line program only.

If the Desktop is all that opens, it is just Delayed Start by your AVG while other programs load (normal).

I have a similar thing with my Firewall, but it kicks in 30 seconds after start up ( No Problem) -

 

First answer eventually -

Renember - In Windows 8 and 8.1, many things altered "as we knew them"
With CCleaner (I use Internet Explorer 95% or the time)- Open the Cleaner program area only
Temp Internet Files
History
Cookies
Recently Typed URLs
Index.dat files
Last Download Location

 

Recent Documents
Run (in Start Menu)
Search Autocomplete
Other Explorer MRUs

 

Empty Recycle Bin
Temp Files
Chkdsk Fragments

 

Old Prefetch data

Nothing should be ticked under Registry (ever), this can alter or remove wanted programs.

 

 

Any other general items, I will still be watching for a few days -



#12 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:26 AM

Posted 07 December 2013 - 07:54 PM

I thank you once again for all your help and quick responses! :D

 

I seem to have all the proper items checked in CCleaner too.. I don't use the registry cleaner at all nor do I mess with the registry at all on my own.  I know very little about computers, but I know enough to be dangerous LOL   That's why I tend to ask for help before I mess anything up! ;)

 

ttfn

MD



#13 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:26 PM

Posted 07 December 2013 - 08:09 PM

You are welcome to any help we can offer -

 

I've also noticed that while AVG is updating <= I forgot this one.

AVG is just "claiming ownership" during updates, so this is "just AVG" and nothing more.

 

Only a rough idea, but as accurate as any other description ................






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users