Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Having a seemingly persistant adware problem...

  • This topic is locked This topic is locked
3 replies to this topic

#1 Vanguard89


  • Members
  • 20 posts
  • Gender:Male
  • Location:Serbia
  • Local time:07:47 PM

Posted 10 February 2014 - 07:49 PM

Hello guys, I'm a new user on your site and I'm pretty impressed that I found some legit tools here to deal with my adware problems:)
   Anyway, yesterday my gf clicked a non - legit magnet link on monova when she tried to download a torrent file, and got my system pretty much instantly filled with some adwares, at first I updated malwarebytes (using it with avira), and simultaniously removed few new programs installed via control panel (amongst which - GrabRez, and something on letter 'W', can't remember, but I am sure it was malware).
   When I scaned with MWB it reported 43 malwares found I removed them and rebooted and cleared carantine after reboot, but, as I suspected, today the problem came back, same as yesterday night, with MWB finding about 15 or more PUP.Optional.Conduit  malwares, some had different names. I decided to download AdwCleaner and Hitmanpro 3.7.9 from your source and run a scan with both, I did with AdwCleaner and it found some registry traces that it reported as threats, first I wanted to do a little inquiry about all of them, cos some mentioned : 'HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32' and 'HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS', but I missclicked and deleted all and rebooted.
   Than I did a scan with Hitmanpro, it found about 1400 cookies most of them (or all) being some 'Mobogenie', Rocketfuel publisher.. it also reported that my FAHclient files are missing and suggested a repair, after I selected it, it switched to 'delete'. I deleted all of those cookies (mobogenie). After all that it seemed my computer is working fine, it's even faster, even tho I was worried I messed some registry up, I downloaded Autoruns to check what processes I have turned on at the moment, and found out that I have 'UtilGrabRez' turned in, tho it didn't funcion anywhere, or I've seen any program installed by the company's name, I run Autoruns as admin and managed to turn that process off from auto-runing.
Now tell me did I do something wrong, cos I'm not that much of a tech-guy, and how to completely remove GrabRez, and is my computer at risk of compromise? And do I need to do a scan with another program like ComboFix? I will attach a log files  that I have saved : of MWB (scaned yesterday) and also Adwcleaner and HitmanPro. Sorry I attached files, not as text -.- 
1. Malwarebytes log file :
Malwarebytes Anti-Malware
Database version: v2014.02.09.05
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16750
Uros :: UROS-PC [administrator]
2/9/2014 8:03:08 PM
MBAM-log-2014-02-09 (21-14-10).txt
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 504838
Time elapsed: 1 hour(s), 8 minute(s), 4 second(s)
Memory Processes Detected: 1
C:\Program Files (x86)\GrabRez\updateGrabRez.exe (PUP.Optional.GrabRez.A) -> 732 -> No action taken.
Memory Modules Detected: 1
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
Registry Keys Detected: 10
HKLM\SYSTEM\CurrentControlSet\Services\Update GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\CLSID\{e1420d09-acc8-4efd-9965-e7ae3c5b977c} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\TypeLib\{a7a47a0b-0338-407a-88cc-04f303ae7bbc} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\Interface\{6C7BB828-4CF1-4C42-8028-7D15996DEA0E} (PUP.Optional.GrabRez.A) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E1420D09-ACC8-4EFD-9965-E7AE3C5B977C} (PUP.Optional.GrabRez.A) -> No action taken.
HKCR\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23} (PUP.Optional.BrowseFox.A) -> No action taken.
HKCU\Software\1ClickDownload (PUP.Optional.1ClickDownload.A) -> No action taken.
HKCU\Software\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
HKCU\Software\AppDataLow\Software\Crossrider (PUP.Optional.CrossRider.A) -> No action taken.
HKLM\Software\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|NextLive (PUP.Optional.NextLive.A) -> Data: C:\Windows\SysWOW64\rundll32.exe "C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l -> No action taken.
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 5
C:\Program Files (x86)\GrabRez (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\cache (PUP.Optional.NextLive.A) -> No action taken.
Files Detected: 27
C:\Program Files (x86)\GrabRez\updateGrabRez.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRezBHO.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRez.FirstRun.exe (PUP.Optional.Sambreel.A) -> No action taken.
C:\Users\Uros\AppData\Local\genienext\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000000 (PUP.Optional.OneClickDownloader.A) -> No action taken.
C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\File System\001\t\00\00000002 (PUP.Optional.OneClickDownloader.A) -> No action taken.
C:\Users\Uros\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9805ZGA\Setup[1].exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie2.2.0.zip (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Mobogenie\Version\OldVersion\Mobogenie\nengine.dll (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Local\Temp\setup_80.exe (PUP.Optional.NextLive.A) -> No action taken.
C:\Windows\Setup\scripts\faXcooL.exe (HackTool.Wpakill) -> No action taken.
D:\Downloaded Content\~Autodesk Maya 2013 SP2 + Crack + 32bit and 64bit\Autodesk Maya 64 bit\64bit\~Get Your Files Here\crack\xf-adsk2013_x64.exe (RiskWare.Tool.CK) -> No action taken.
D:\Downloads\SoftonicDownloader_for_siw.exe (PUP.Optional.Softonic.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRez.ico (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\7za.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\GrabRezUninstall.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\updateGrabRez.InstallState (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\GrabRez.BrowserFilter.Helper.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\GrabRezBrowserFilter.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\utilGrabRez.exe (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\utilGrabRez.InstallState (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.BrowserFilterG.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.FFUpdate.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Program Files (x86)\GrabRez\bin\plugins\GrabRez.IEUpdate.dll (PUP.Optional.GrabRez.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\nengine.cookie (PUP.Optional.NextLive.A) -> No action taken.
C:\Users\Uros\AppData\Roaming\newnext.me\cache\spark.bin (PUP.Optional.NextLive.A) -> No action taken.
2. AdwCleaner log file :

# AdwCleaner v3.018 - Report created 10/02/2014 at 22:55:44
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (64 bits)
# Username : Uros - UROS-PC
# Running from : D:\Downloads\AdwCleaner.exe
# Option : Clean
***** [ Services ] *****
***** [ Files / Folders ] *****
Folder Deleted : C:\Users\Uros\AppData\Local\Conduit
Folder Deleted : C:\Users\Uros\AppData\LocalLow\Conduit
File Deleted : C:\END
***** [ Shortcuts ] *****
***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\smartbar
***** [ Browsers ] *****
-\\ Internet Explorer v10.0.9200.16750
-\\ Google Chrome v32.0.1700.107
[ File : C:\Users\Uros\AppData\Local\Google\Chrome\User Data\Default\preferences ]
AdwCleaner[R0].txt - [1349 octets] - [10/02/2014 22:30:42]
AdwCleaner[S0].txt - [1249 octets] - [10/02/2014 22:55:44]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1309 octets] ##########
3. Hitmanpro :

Can't post it, it says the post is too long..

Attached Files

Edited by Queen-Evie, 10 February 2014 - 08:56 PM.
moved from Windows 7 to the appropriate forum for malware help

BC AdBot (Login to Remove)



#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 72,214 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:12:47 PM

Posted 10 February 2014 - 09:53 PM

Hello. I need to ask if you clicked the "Remove Selected" button after the MBAM scan
Your log entries show...

C:\Program Files (x86)\GrabRez\updateGrabRez.exe (PUP.Optional.GrabRez.A) -> 732 -> No action taken.
  • Please run ESET.
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.
  • [/list] [/list]

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Vanguard89

  • Topic Starter

  • Members
  • 20 posts
  • Gender:Male
  • Location:Serbia
  • Local time:07:47 PM

Posted 11 February 2014 - 11:01 AM

I am very thankful on fast response and I read it right away :) I did remove selected malwares by MWB after it did a full scan (it did put all 43 of them in quarantene as it seems, which I also deleted).

   I was instructed to post this topic on virus and malware removal topics, that is the reason I am not runing ESET scan atm, I am doing scans/fixes by several other programs as instructed on that topic, after that survay is done I will run ESET, since I was told not to interfere different programs in analasys and threatment process (other that instructed), but when that topic is done I will do as you told me and post it here :). I hope that is fine, or can I run ESET right away? cos I did some threatment on other topic with Adwcleaner, Junkware-Removal-Tool and Farbar Recovery Scan Tool.

Edited by Vanguard89, 11 February 2014 - 11:05 AM.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 50,593 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:47 PM

Posted 11 February 2014 - 01:01 PM

Your log(s) is posted here and you are already getting help.

After posting a log and getting assistance, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Response Team member...nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log(s) you already posted. Further, any modifications you make on your own may cause confusion for the member assisting you and could complicate the malware removal process or make things worst which would extend the time it takes to clean your computer.

The Malware Response Team should be the only members that you take advice from, until they have verified your log as clean.

To avoid confusion, I am closing this topic.

Thanks for your cooperation.

Good luck with your log.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users