Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vaudix and SpyHunter 4 Malware


  • Please log in to reply
13 replies to this topic

#1 cddizzle

cddizzle

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 07 February 2015 - 05:41 PM

I keep getting these ads on my computer (Dell laptop with Windows 8) and under them it says "Ad by Vaudix".  I tried removing the "Vaaudiix" extension, but it keeps reappearing.  Also, in the process of trying to remove Vaudix from my computer, I downloaded "SpyHunter 4", which I don't think is a good program.  I can't delete it from my computer for one thing.  I've tried Malwarebytes, SpyBot and AdAware to no avail.  Any help would be appreciated.  Thank you.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 07 February 2015 - 06:17 PM

Try removing/ uninstalling SpyHunter using Revo Uninstaller. Choose the Advance mode/ button. Download Revo Uninstaller Freeware - Free and Full Download - Uninstall software, remove programs, solve uninstall problems  (if Revo doesn't remove it, see discussion and some good suggestions at i can't uninstall spyhunter NO MATTER WHAT - Anti-Virus and Anti-Malware Software

 

Use the programs below to remove adware and malware.

Check the settings in MBAM and be sure it is scanning for PUPs. If not, allow it to and rescan.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 


 

Download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.

Hold down Control and click on this link to open ESET OnlineScan in a new window. (Eset can take more than an hour to run so plan accordingly)

  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
  • Scan potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • NOTE:Sometimes if ESET finds no infections it will not create a log.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:24 PM

Posted 07 February 2015 - 06:38 PM

If you encounter any problems removing SpyHunter...please read this topic for more information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 07:32 AM

Thanks for the quick response guys.  I really appreciate it.  I used Revo Uninstaller and SpyHunter is no longer on my computer AFAICT.  Here's the log from the JRT scan:

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.2 (02.02.2015:1)
OS: Windows 8.1 x64
Ran by Susan on Sun 02/08/2015 at  7:22:32.42
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Registry Values
 
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Default_Page_URL
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
Successfully deleted: [File] "C:\Users\Susan\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage"
Successfully deleted: [File] "C:\Users\Susan\appdata\local\google\chrome\user data\default\local storage\http_www.superfish.com_0.localstorage-journal"
Successfully deleted: [File] "C:\Windows\wininit.ini"
 
 
 
~~~ Folders
 
Successfully deleted: [Folder] "C:\ProgramData\pcdr"
Successfully deleted: [Folder] "C:\Users\Susan\AppData\Roaming\pcdr"
 
 
 
~~~ Event Viewer Logs were cleared
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 02/08/2015 at  7:27:15.28
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Edited by cddizzle, 08 February 2015 - 07:43 AM.


#5 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 08 February 2015 - 07:50 AM

You should remove/ uninstall SpyBot and AdAware. Both have fallen from grace over the years.

 

I omitted asking you to run a scan using AdwCleaner. Important that you do that.

  • download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • After reviewing the log, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 08:42 AM

Here's the log from the AdwCleaner scan:

 

 

# AdwCleaner v4.110 - Logfile created 08/02/2015 at 08:36:33
# Updated 05/02/2015 by Xplode
# Database : 2015-02-05.2 [Server]
# Operating system : Windows 8.1  (x64)
# Username : Susan - SUSAN
# Running from : C:\Users\Susan\Desktop\AdwCleaner.exe
# Option : Cleaning
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
Folder Deleted : C:\ProgramData\17634493375744353301
Folder Deleted : C:\Program Files (x86)\Vaaudiix
Folder Deleted : C:\ProgramData\lcpeahkdjjppoecnmnbnkaceoiepemhj
File Deleted : C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Deleted : C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
File Deleted : C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Deleted : C:\Users\Susan\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
 
***** [ Scheduled tasks ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\Pd0cf05c5_dc57_4a4e_987b_dcd679a405c6_.Pd0cf05c5_dc57_4a4e_987b_dcd679a405c6_
Key Deleted : HKLM\SOFTWARE\Classes\Pd0cf05c5_dc57_4a4e_987b_dcd679a405c6_.Pd0cf05c5_dc57_4a4e_987b_dcd679a405c6_.9
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{d0cf05c5-dc57-4a4e-987b-dcd679a405c6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{d0cf05c5-dc57-4a4e-987b-dcd679a405c6}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{d0cf05c5-dc57-4a4e-987b-dcd679a405c6}
Key Deleted : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKCU\Software\AppDataLow\Software\adawarebp
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
 
***** [ Web browsers ] *****
 
-\\ Internet Explorer v11.0.9600.17416
 
 
-\\ Mozilla Firefox v
 
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.order.1", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.order.1,S", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.defaultenginename,S", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.selectedEngine,S", "WebSearch");
[ob31xr5x.default\prefs.js] - Line Deleted : user_pref("browser.search.defaulturl", "hxxp://websearch.thesearchpage.info/?pid=21242&r=2015/01/27&hid=11113844489570494964&lg=EN&cc=US&unqvl=74&l=1&q=");
 
-\\ Google Chrome v40.0.2214.93
 
 
*************************
 
AdwCleaner[R0].txt - [850 bytes] - [11/10/2014 17:37:53]
AdwCleaner[R1].txt - [834 bytes] - [12/10/2014 18:38:13]
AdwCleaner[R2].txt - [3800 bytes] - [07/02/2015 15:18:50]
AdwCleaner[R3].txt - [3859 bytes] - [07/02/2015 15:25:05]
AdwCleaner[R4].txt - [3917 bytes] - [07/02/2015 15:45:28]
AdwCleaner[R5].txt - [3568 bytes] - [08/02/2015 08:23:41]
AdwCleaner[R6].txt - [3627 bytes] - [08/02/2015 08:33:02]
AdwCleaner[S0].txt - [912 bytes] - [11/10/2014 17:41:32]
AdwCleaner[S1].txt - [965 bytes] - [12/10/2014 18:42:17]
AdwCleaner[S2].txt - [3665 bytes] - [08/02/2015 08:36:33]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [3724  bytes] ##########


#7 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 08 February 2015 - 09:03 AM

So far, so good....important to scan with Eset.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#8 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 10:53 AM

ESET Scan report:

 

C:\AdwCleaner\Quarantine\C\ProgramData\lcpeahkdjjppoecnmnbnkaceoiepemhj\CmBE.js.vir JS/Kryptik.ATB trojan cleaned by deleting - quarantined
C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application deleted - quarantined
C:\Users\Susan\AppData\Roaming\Mozilla\Firefox\Profiles\ob31xr5x.default\extensions\staged\8PSsRP8@c.edu\content\bg.js JS/Kryptik.ATL trojan cleaned by deleting - quarantined
C:\Users\Susan\AppData\Roaming\Mozilla\Firefox\Profiles\ob31xr5x.default\extensions\staged\MEPdAM@em.edu\content\bg.js JS/Kryptik.ATL trojan cleaned by deleting - quarantined
C:\Users\Susan\AppData\Roaming\Mozilla\Firefox\Profiles\ob31xr5x.default\extensions\staged\nlSH31@s.com\content\bg.js JS/Kryptik.ATB trojan cleaned by deleting - quarantined


#9 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 08 February 2015 - 11:19 AM

How is the computer performing...up to par?

 

Open CCleaner, click on Tools and choose Startups. On that page you will see a list of Windows Startups and tabs at the top for browsers and Scheduled Tasks.

At the bottom of the page you will see a button when clicked on will open a text editor and will allow you to copy and paste that list of Startups for Windows. Please post

that list of Windows Startups and the list of Tasks which you can access by clicking on the Scheduled Tasks tab.

 

Download Security Check from here or here and save it to your Desktop.

  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2. SecurityCheck may produce some false warning(s), so leave the results reading to me.
NOTE 3. If you receive UNSUPPORTED OPERATING SYSTEM! ABORTED! message restart computer and Security Check should run


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#10 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 11:40 AM

It looks like the ads are gone now.

 

Windows Startups:

 

Yes HKLM:Run QuickSet Dell Inc. c:\Program Files\Dell\QuickSet\QuickSet.exe
Yes HKLM:Run RtHDVBg Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe" /MAXX5REC
Yes HKLM:Run RTHDVCPL Realtek Semiconductor "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Yes HKLM:Run StartCCC Advanced Micro Devices, Inc. "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe" MSRun
Yes HKLM:Run WavesSvc Waves Audio Ltd. "C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe"
 
Tasks:
 
Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler
No Task Optimize Start Menu Cache Files-S-1-5-21-2144726742-2085155768-3147406515-1002
Yes Task PCDEventLauncherTask PC-Doctor, Inc. "C:\Program Files\My Dell\sessionchecker.exe"
Yes Task PCDoctorBackgroundMonitorTask PC-Doctor, Inc. "C:\Program Files\My Dell\uaclauncher.exe" -backgroundmon scripts\backgroundmon.xml -st PCDoctorBackgroundMonitorTask --ignoresecondarysplash --runsilently
Yes Task SpyHunter4Startup "C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe" /s
Yes Task Synaptics TouchPad Enhancements Synaptics Incorporated "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
Yes Task SystemToolsDailyTest "uaclauncher.exe" -silentenumeration -st SystemToolsDailyTest --ignoresecondarysplash --runsilently
 


#11 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 11:42 AM

Results of screen317's Security Check version 0.99.96  
   x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Windows Defender   
 WMI entry may not exist for antivirus; attempting automatic update. 
`````````Anti-malware/Other Utilities Check:````````` 
  Java 64-bit 8 Update 31  
 Google Chrome (40.0.2214.91) 
 Google Chrome (40.0.2214.93) 
````````Process Check: objlist.exe by Laurent````````  
 Windows Defender MSMpEng.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbam.exe  
 Malwarebytes Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:  % 
````````````````````End of Log`````````````````````` 


#12 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 08 February 2015 - 12:02 PM

Disable these Tasks: (you can open the Tasks again. Click on each Task to highlight and then choose disable....if the option to remove or uninstall is given for the SpyHunter...choose that)

 

Yes Task GoogleUpdateTaskMachineCore Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /c
Yes Task GoogleUpdateTaskMachineUA Google Inc. C:\Program Files (x86)\Google\Update\GoogleUpdate.exe /ua /installsource scheduler

Yes Task SpyHunter4Startup "C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe" /s

 

Unless you spot another issue...I'd say you are good to go.

 

EDIT: you can follow the file path given for SpyHunter and delete that file....C:\Program Files\Enigma Software Group\SpyHunter\Spyhunter4.exe

Or do a search for Enigma and/ or SpyHunter to find any leftovers.


Edited by buddy215, 08 February 2015 - 12:06 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#13 cddizzle

cddizzle
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:24 AM

Posted 08 February 2015 - 12:10 PM

Thank you so much :)



#14 buddy215

buddy215

  • Moderator
  • 13,200 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:24 AM

Posted 08 February 2015 - 12:22 PM

You're welcome...enjoyed working with you...happy surfin'


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users