Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Do I have malware?


  • Please log in to reply
5 replies to this topic

#1 CRBlair

CRBlair

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Columbia, MD USA
  • Local time:11:49 PM

Posted 09 November 2014 - 06:49 PM

Over the last few days, I've noticed that on every website I visit (including this one), the page is littered with advertizing links (the "underlined word" type). Also, if I click on a blank part of the page or a link to another page, an advertizing page opens before the desired page opens. This didn't use to happen. I use Firefox version 33.0.3 on a Lenovo G700 laptop running Windows 8.1. I use Windows Defendder and Windows Firewall. I have run several malware programs (Windows Defender, Spybot free, SuperAntiSpyware free, Malwarebytes free, Trend Micro's free online scan and Trend Micro's free rootkit checker), and several of them have found and removed files, cookies, registry keys and the like, but I still have the problem. What can I do to stop this?


Roger Blair

crogerblair@hotmail.com


BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:49 PM

Posted 09 November 2014 - 07:26 PM

Have you looked in Firefox's Add-ons for extensions and plugins that you did not install? You can disable any suspicious ones

or do a search for any you don't recognize before disabling or uninstalling if they are not desirable.

 

Run scans using the two programs below.

 

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars...especially Yahoo.

You may see Google Tool Bar being offered. You can choose to download and use the portable version and avoid any chance

of installing an unwanted toolbar.  

CCleaner - PC Optimization and Cleaning - Free Download

Piriform - How to run CCleaner from a USB drive

 

 

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

You should install Adblock Plus and NoScript in Firefox. The two best Add-ons. NoScript will take a bit of learning to use but it is

well worth the effort as it blocks getting malware from just visiting a web page and blocks several other attempts to infect your computer.

NoScript Security Suite :: Add-ons for Firefox

Adblock Plus :: Add-ons for Firefox


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 CRBlair

CRBlair
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Columbia, MD USA
  • Local time:11:49 PM

Posted 11 November 2014 - 12:37 PM

The two addons have been added, and the problem went awy. (I'd used them on my old computer, but I'd forgotten about them on my new machine

 

FWIW, here's the AdWcleaner log . . .

# AdwCleaner v4.101 - Report created 11/11/2014 at 10:10:40
# Updated 09/11/2014 by Xplode
# Database : 2014-11-10.9 [Live]
# Operating System : Windows 8.1 (64 bits)
# Username : Roger - ROGERPC
# Running from : C:\Users\Roger\Downloads\AdwCleaner.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Pokki
Folder Deleted : C:\Program Files (x86)\Bench
Folder Deleted : C:\Users\Roger\AppData\Local\Pokki
Folder Deleted : C:\Users\Roger\AppData\Roaming\InetStat
Folder Deleted : C:\Users\Roger\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\InetStat
Folder Deleted : C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck
File Deleted : C:\Users\Roger\AppData\Roaming\Mozilla\Firefox\Profiles\grtpuc9j.default-1414613292208\invalidprefs.js
File Deleted : C:\Users\Roger\AppData\Roaming\Mozilla\Firefox\Profiles\grtpuc9j.default-1414613292208\searchplugins\bingp.xml

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKCU\Software\Classes\Applications\inetstat.exe
Key Deleted : HKCU\Software\InetStat
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKLM\SOFTWARE\AdvertisingSupport
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Mozilla Firefox v33.0.3 (x86 en-US)


-\\ Google Chrome v38.0.2125.111

[C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Roger\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.v9.com/web/?type=ds&ts=1413143111&from=cor&uid=ST500LT012-9WS142_S0V8FR2NXXXXS0V8FR2N&i=psd&t=34a4c86c6&q={searchTerms}

*************************

AdwCleaner[R0].txt - [2451 octets] - [11/11/2014 08:14:00]
AdwCleaner[S0].txt - [2323 octets] - [11/11/2014 10:10:40]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [2383 octets] ##########

 

. . . and the Junkware Removal Tool log.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.3.7 (11.08.2014:1)
OS: Windows 8.1 x64
Ran by Roger on Tue 11/11/2014 at 11:21:20.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] "C:\WINDOWS\wininit.ini"



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Roger\AppData\Roaming\mozilla\firefox\profiles\grtpuc9j.default-1414613292208\minidumps [2 files]



~~~ Chrome

Successfully deleted: [Folder] C:\Users\Roger\appdata\local\Google\Chrome\User Data\Default\Extensions\ihdkejbciahopmbagpnjmmkkdpfpaaak



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 11/11/2014 at 11:23:39.71
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Many thanks for the advice. Now if I can my other problem soled as easily


Roger Blair

crogerblair@hotmail.com


#4 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:49 PM

Posted 11 November 2014 - 01:38 PM

Safe Price...an Avast adware...is mentioned in the logs and removed along with other adware.

 

There is another step you can take to disable Safe Price.

Type the following into your Firefox address bar: chrome://wrc/content/options.html (hit Enter)
Scroll down to the bottom and uncheck  “SafePrice Receive SafePrice shopping recommendations on relevant sites.”  Then, click on the "Save" button.  Problem solved.
Just keep in mind that if Firefox or Avast "updates" their software, SafePrice might return ... requiring you to redo the procedure above.

 

Run a scan using Eset Online Scanner when you have the time. The scan can take more than hour depending computer resources and size of files.

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

Edited by buddy215, 11 November 2014 - 01:40 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 CRBlair

CRBlair
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Columbia, MD USA
  • Local time:11:49 PM

Posted 13 November 2014 - 06:29 PM

BC Advisor, thanks for the advice. I tried to run the "Safe Price" software you mentioned, but my browser couldn't find the indicated page. As for ESET, here's the result:

C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Jelbrus Secure Web\jsweb.dll    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe    a variant of Win32/Techsnab.C potentially unwanted application    deleted - quarantined
C:\Users\Roger\AppData\Roaming\0T1M1P0A1E1E0M1T1G\Magical Jelly Bean Keyfi Packages\uninstaller.exe    Win32/InstallCore.PC potentially unwanted application    deleted - quarantined
C:\Users\Roger\AppData\Roaming\0T1M1P0A1E1E0M1T1G\Open Office Packages\uninstaller.exe    Win32/InstallCore.PC potentially unwanted application    deleted - quarantined
C:\Users\Roger\Downloads\dfsetup218(1).exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined
C:\Users\Roger\Downloads\paint.net.4.0.3.install_inst.exe    a variant of Win32/InstallCore.QS potentially unwanted application    deleted - quarantined
C:\Users\Roger\Downloads\spsetup126.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    deleted - quarantined


Roger Blair

crogerblair@hotmail.com


#6 buddy215

buddy215

  • Moderator
  • 13,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:49 PM

Posted 13 November 2014 - 07:13 PM

Nothing malicious....Eset removed some more adware.

Anytime you install a free program or browser add-on you should try to do a custom install when offered and UNcheck offers of

toolbars, etc. Sometimes though, you are not given those opportunities. Best to run the scanners to be sure no unwanted junkware,

adware, etc. has not been installed and to remove it if has been.

 

One other thing you can do in your installed browsers is to block the ad/ tracking cookies aka third party cookies from installing.

Disable third-party cookies in IE, Firefox, and Google Chrome | How To - CNET

Once they are blocked from installing, you will need to delete the existing ones in all browsers. You can use CCleaner for that or just 

delete all cookies manually in all browsers. CCleaner will clean up other locations where those cookies lurk for example Adobe Flash

and DOM storage.

 

Happy surfin'...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users