Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unexpected popups and ask toolbar


  • Please log in to reply
12 replies to this topic

#1 ytseschew

ytseschew

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 08 February 2015 - 01:24 PM

Hello, I need some help diagnosing and fixing the problems I'm having on my laptop.  I started to see numerous types of popups claiming that I have malware when trying to go to various sites, sometimes using audio too.  Plus, I see instances of the ask.com toolbar in my browser.  As time passes it is getting worse.  I can no longer reach sites like bleepingcomputer.com so I'll have to download the tools on another computer, burn them to CD, before I can use them on my laptop. 

 

I have not run any virus removers lately, though I am running MS Security Essentials.

 

I tried using msconfig to change the boot process so that it came up in safe mode, but now I am getting an error on boot about a problem in the BCD so the system won't boot at all anymore.  I've been looking up how to repair the BCD, but have not tried to do so yet.  I haven't tried inserting the MS Windows 7 disc to try "Repair your computer" yet.

 

OS:  Windows 7

 

Error on boot: 

    File:  \Boot\BCD

    Status: 0xc0000034

    Info:  The Windows Boot Configuration Data file is missing required information

 

Any assistance would be greatly appreciated.

 

Thank you,

 

-yt

 



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 08 February 2015 - 04:00 PM

Hello, have you tried doing Startup Repair?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 08 February 2015 - 07:30 PM

Thanks for the reply.  I was able to recover the BCD using a Windows 7 Repair Disc.  Now I'm able to boot into Windows again, but still see the pop-ups and toolbar problems that I was describing earlier.  Do you have suggestions on what steps to take next?

 

Thanks,

 

-yt



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 09 February 2015 - 02:45 AM

Hi, its good to hear that. :)

Please download AdwCleaner by Xplode onto your desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search and after the scan completes click Report.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 09 February 2015 - 03:42 AM

Thanks for the feedback.  I ran AdwCleaner and these are the results from the log file:

 

# AdwCleaner v4.110 - Logfile created 09/02/2015 at 03:17:09
# Updated 05/02/2015 by Xplode
# Database : 2015-02-08.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Beggs - BEGGS-LAPTOP
# Running from : C:\Users\Beggs\Contacts\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****

Service Found : d65a1a66

***** [ Files / Folders ] *****

File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage
File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.ask.com_0.localstorage-journal
File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage
File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.superfish.com_0.localstorage-journal
File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage
File Found : C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxps_www.superfish.com_0.localstorage-journal
File Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\searchplugins\ask-web-search.xml
File Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\searchplugins\WebSearch.xml
Folder Found : C:\Program Files (x86)\Inbox Toolbar
Folder Found : C:\Program Files (x86)\TampaGeneration
Folder Found : C:\Program Files (x86)\Vauddix
Folder Found : C:\Program Files (x86)\Vaudiix
Folder Found : C:\Program Files (x86)\Vaudiix
Folder Found : C:\Program Files (x86)\youtubeadblocker
Folder Found : C:\ProgramData\13789350220807701986
Folder Found : C:\ProgramData\ajicadfnalcmfjlnkfdekpagdpoeegnn
Folder Found : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Inbox Toolbar
Folder Found : C:\ProgramData\Partner
Folder Found : C:\ProgramData\Red AdBlocker
Folder Found : C:\Users\Beggs\AppData\LocalLow\Inbox Toolbar
Folder Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\Extensions\39ffxtbr@MapsGalaxy_39.com
Folder Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\Extensions\J2NP@X.com
Folder Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\Extensions\UAMzkRE@Y.org
Folder Found : C:\Windows\Util

***** [ Scheduled tasks ] *****

Task Found : driverupdate startup

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Found : HKCU\Software\AppDataLow\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Found : HKCU\Software\Inbox Toolbar
Key Found : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{042DA63B-0933-403D-9395-B49307691690}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Found : [x64] HKCU\Software\Inbox Toolbar
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C04B7D22-5AEC-4561-8F49-27F6269208F6}
Key Found : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Found : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Found : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Found : HKLM\SOFTWARE\{4A0F38A9-FE55-4B89-B73F-E60FDC0F72E9}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{37540F19-DD4C-478B-B2DF-C19281BCAF27}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{a33d3c29-3c66-4676-8b94-07e1b09c636d}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Found : HKLM\SOFTWARE\Classes\CLSID\{ecb8e8e1-a1d6-4df6-8106-9e95171040a4}
Key Found : HKLM\SOFTWARE\Classes\inbox.appserver
Key Found : HKLM\SOFTWARE\Classes\inbox.ibx404
Key Found : HKLM\SOFTWARE\Classes\Inbox.JSServer
Key Found : HKLM\SOFTWARE\Classes\Inbox.Toolbar
Key Found : HKLM\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}
Key Found : HKLM\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}
Key Found : HKLM\SOFTWARE\Classes\Pa33d3c29_3c66_4676_8b94_07e1b09c636d_.Pa33d3c29_3c66_4676_8b94_07e1b09c636d_
Key Found : HKLM\SOFTWARE\Classes\Pa33d3c29_3c66_4676_8b94_07e1b09c636d_.Pa33d3c29_3c66_4676_8b94_07e1b09c636d_.9
Key Found : HKLM\SOFTWARE\Classes\Pecb8e8e1_a1d6_4df6_8106_9e95171040a4_.Pecb8e8e1_a1d6_4df6_8106_9e95171040a4_
Key Found : HKLM\SOFTWARE\Classes\Pecb8e8e1_a1d6_4df6_8106_9e95171040a4_.Pecb8e8e1_a1d6_4df6_8106_9e95171040a4_.9
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho
Key Found : HKLM\SOFTWARE\Classes\protector_dll.protectorbho.1
Key Found : HKLM\SOFTWARE\Classes\protocols\handler\inbox
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{230332DF-D235-47EE-BC42-60860EF144CD}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{615E8AA1-6BB8-4A3D-A1CC-373194DB612C}
Key Found : HKLM\SOFTWARE\Classes\TypeLib\{CBEF8724-D080-4737-88DA-111EEC6651AA}
Key Found : HKLM\SOFTWARE\Inbox Toolbar
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BB74DE59-BC4C-4172-9AC4-73315F71CFFE}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a33d3c29-3c66-4676-8b94-07e1b09c636d}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb8e8e1-a1d6-4df6-8106-9e95171040a4}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a33d3c29-3c66-4676-8b94-07e1b09c636d}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ecb8e8e1-a1d6-4df6-8106-9e95171040a4}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{d65a1a66}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{612AD33D-9824-4E87-8396-92374E91C4BB}_is1
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{681002C6-5019-81A2-7871-A43754F71E56}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{a33d3c29-3c66-4676-8b94-07e1b09c636d}
Key Found : [x64] HKLM\SOFTWARE\Classes\CLSID\{ecb8e8e1-a1d6-4df6-8106-9e95171040a4}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{28C3737A-32D1-492D-B76B-8D75EBBFB887}
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{CE057E0D-2D7E-4DFF-A890-07BA69B8C762}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{612AD33D-9824-4E87-8396-92374E91C4BB}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a33d3c29-3c66-4676-8b94-07e1b09c636d}
Key Found : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecb8e8e1-a1d6-4df6-8106-9e95171040a4}
Value Found : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [InboxToolbar]

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496

Setting Found : HKCU\Software\Microsoft\Internet Explorer\Main [Start Page] - hxxp://websearch.thesearchpage.info/?pid=21242&r=2015/01/31&hid=4601356482706900661&lg=EN&cc=US&unqvl=74
Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Main [Start Page] - hxxp://websearch.thesearchpage.info/?pid=21242&r=2015/01/31&hid=4601356482706900661&lg=EN&cc=US&unqvl=74

-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[8iaypztg.default] - Line Found : user_pref("browser.search.defaultenginename", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("browser.search.defaultenginename,S", "WebSearch");
[8iaypztg.default] - Line Found : user_pref("browser.search.defaulturl", "hxxp://websearch.thesearchpage.info/?pid=21242&r=2015/01/31&hid=4601356482706900661&lg=EN&cc=US&unqvl=74&l=1&q=");
[8iaypztg.default] - Line Found : user_pref("browser.search.order.1", "WebSearch");
[8iaypztg.default] - Line Found : user_pref("browser.search.order.1,S", "WebSearch");
[8iaypztg.default] - Line Found : user_pref("browser.search.selectedEngine", "WebSearch");
[8iaypztg.default] - Line Found : user_pref("browser.search.selectedEngine,S", "WebSearch");
[8iaypztg.default] - Line Found : user_pref("browser.startup.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=EA73DAF6-3E02-40F6-BCE0-D3C26624779E&n=780d1271&p2=^BBQ^xdm022^S11595^us&si=downspeedtest");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.BUTTON_STRUCTURE", "[{\"b\":222461841,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":222461842,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.prev", "eBay");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.tb", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.prev", "eBay");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.tb", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.homepage.prev", "hxxp://mail.google.com");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.homepage.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.homepage.tb", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=CKq[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.page.savedPrev", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.page.tb", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.version.last", "35.0");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.firstKnownVersion", "6.72.4.60280");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=CKq4nO23gMICFasRMwod_R[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.enabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.guardType", "HPR");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.user.defined", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.initialized", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installKeysSource", "Cookies");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installType", "XPI");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.contextKey", "");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.installDate", "2014111607");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.partnerId", "^Z5^xdm002^S10992^us");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.partnerSubId", "CKq4nO23gMICFasRMwod_RMAkA");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.pixelUrl", "hxxp://download.headlinealley.com/install_pixels.jhtml?partner=^Z5^xdm002^S10992^us&coId=c13db18aa4724285bfc1153c1fc7897c&t[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.success", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.toolbarId", "31DD1EBF-5999-4947-88E4-3A72E9134990");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.isCompliantUninstallImplementation", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.lastActivePing", "1423235111114");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.lastKnownVersion", "6.83.5.44089");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.lostEngine", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.defaultSearch", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.homePageEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.keywordEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.tabEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.partnerPixelFired", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.searchHistory", "Singer Mann||Starbuck's parent company||shoulder muscle chart||Prince hits||craigslist.com||craigslist pittsburgh pa||NCAA Bowl Gam[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.successUrl", "hxxp://download.headlinealley.com/installComplete.jhtml");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.toolbar.ownSearch", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.toolbar.versionChanged", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.toolbarCollapsed", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.weather.location", "15201");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.BUTTON_STRUCTURE", "[{\"b\":221481779,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":221481780,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.browser.version.last", "35.0");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.firstKnownVersion", "6.33.3.43045");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=7FEC8977-2975-41ED-8B2B-148D0FE13C83&n=780bb2da&p2=^UX^xdm011^YYA^us&si=maps4pc");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.initialized", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installKeysSource", "LocalStorage");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installType", "XPI");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.contextKey", "");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.installDate", "2014032602");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerId", "^UX^xdm011^YYA^us");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.partnerSubId", "maps4pc");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.pixelUrl", "hxxp://mapsgalaxy.dl.tb.ask.com/install_pixels.jhtml?partner=^UX^xdm011^YYA^us&coId=5221a7332d4548a0b5fb1aef66e4c95f&cake_i[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.success", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.installation.toolbarId", "7FEC8977-2975-41ED-8B2B-148D0FE13C83");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.isCompliantUninstallImplementation", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.lastActivePing", "1423235111115");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.lastKnownVersion", "6.83.5.47613");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.defaultSearch", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.homePageEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.keywordEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.options.tabEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.partnerPixelFired", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.searchHistory", "bnp paribas open||www.bnpparibasopen.com||Indian Wells, CA||music key translator||Coventry Advantra||heatInsurance deductibles||\"r[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.successUrl", "hxxp://maps4pc.com/thankyou.php");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.toolbar.versionChanged", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.toolbarCollapsed", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._39Members_.weather.location", "95050");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.BUTTON_STRUCTURE", "[{\"b\":222852386,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":222852387,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.homepage.prev", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=C[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.homepage.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.homepage.tb", "hxxp://home.tb.ask.com/index.jhtml?ptb=EA73DAF6-3E02-40F6-BCE0-D3C26624779E&n=780d1271&p2=^BBQ^xdm022^S11595^us&si=do[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.savedPrev", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.startup.page.tb", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.version.last", "35.0");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.competitorDNS", "{\"comment\":\"refresh every 1 week (7*24*60*60*1000)\",\"refreshPeriod\":604800000,\"list\":[{\"url\":\"hxxp://www.dnsrsearch.com/[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.firstKnownVersion", "6.83.5.43463");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=EA73DAF6-3E02-40F6-BCE0-D3C26624779E&n=780d1271&p2=^BBQ^xdm022^S11595^us&si=downspeedtest");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.enabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.guardType", "HPR");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.hp.user.defined", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.initialized", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installKeysSource", "LocalStorage");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installType", "XPI");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.contextKey", "");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.installDate", "2014122609");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerId", "^BBQ^xdm022^S11595^us");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerSubId", "downspeedtest");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.pixelUrl", "hxxp://free.internetspeedtracker.com/install_pixels.jhtml?partner=^BBQ^xdm022^S11595^us&sub_id=downspeedtest&coId=5b4bb0bcf[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.success", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.toolbarId", "EA73DAF6-3E02-40F6-BCE0-D3C26624779E");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.isCompliantUninstallImplementation", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastActivePing", "1423235111112");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastKnownVersion", "6.83.5.43463");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.defaultSearch", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.homePageEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.keywordEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.tabEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.partnerPixelFired", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.successUrl", "hxxp://downspeedtest.com/thankyou.php");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.toolbar.versionChanged", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.toolbarCollapsed", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.weather.location", "15201");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "internetspeedtracker@mindspark.com");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.lastInstalled", "internetspeedtracker@mindspark.com");
[8iaypztg.default] - Line Found : user_pref("keyword.URL", "hxxp://websearch.thesearchpage.info/?pid=21242&r=2015/01/31&hid=4601356482706900661&lg=EN&cc=US&unqvl=74&l=1&q=");

-\\ Google Chrome v40.0.2214.93

[C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Beggs\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://websearch.thesearchpage.info/?l=1&q={searchTerms}&pid=21242&r=2015/01/31&hid=4601356482706900661&lg=EN&cc=US&unqvl=74
*************************

AdwCleaner[R0].txt - [26621 bytes] - [09/02/2015 03:17:09]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [26681 bytes] ##########
 



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 09 February 2015 - 09:14 AM

Hi,

Please rerun AdwCleaner and this time click the Clean button. When done restart your computer and let me know if you are still encountering problems.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 10 February 2015 - 04:57 PM

I ran AdwCleaner and did the Cleaning.  I am still seeing pop ups when I browse.  I re-ran the AdwCleaner scan but this time it didn't find anything.  What are my next steps?

 

Thanks you,

 

-yt



#8 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 10 February 2015 - 06:10 PM

After I ran Firefox, AdwCleaner now shows problems again.  So running AdwCleaner removed things, but some of them came back when I ran Firefox.  Here is the log file:

 

# AdwCleaner v4.110 - Logfile created 10/02/2015 at 18:06:08
# Updated 05/02/2015 by Xplode
# Database : 2015-02-09.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Beggs - BEGGS-LAPTOP
# Running from : C:\Users\Beggs\Contacts\Downloads\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\searchplugins\ask-web-search.xml

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Mozilla Firefox v35.0.1 (x86 en-US)

[8iaypztg.default] - Line Found : user_pref("browser.search.defaultenginename", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("browser.search.selectedEngine", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("browser.startup.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=CKq4nO23gMICFasRMwod_RMAkA");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.BUTTON_STRUCTURE", "[{\"b\":222461841,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":222461842,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.prev", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.defaultenginename.tb", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.prev", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.search.selectedEngine.tb", "Ask Web Search");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.homepage.savedPrev", "true");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.homepage.tb", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=CKq[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.page.savedPrev", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.startup.page.tb", 1);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.browser.version.last", "35.0");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.firstKnownVersion", "6.83.5.44089");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&p2=^Z5^xdm002^S10992^us&si=CKq4nO23gMICFasRMwod_R[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.enabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.guardType", "HPR");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.hp.user.defined", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.initialized", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installKeysSource", "LocalStorage");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installType", "XPI");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.contextKey", "");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.installDate", "2014111607");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.partnerId", "^Z5^xdm002^S10992^us");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.partnerSubId", "CKq4nO23gMICFasRMwod_RMAkA");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.pixelUrl", "hxxp://download.headlinealley.com/install_pixels.jhtml?partner=^Z5^xdm002^S10992^us&coId=c13db18aa4724285bfc1153c1fc7897c&t[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.success", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.installation.toolbarId", "31DD1EBF-5999-4947-88E4-3A72E9134990");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.isCompliantUninstallImplementation", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.lastActivePing", "1423609524751");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.lastKnownVersion", "6.83.5.44089");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.defaultSearch", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.homePageEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.keywordEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.options.tabEnabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.partnerPixelFired", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.successUrl", "hxxp://download.headlinealley.com/installComplete.jhtml");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.toolbar.ownSearch", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._29Members_.toolbarCollapsed", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.BUTTON_STRUCTURE", "[{\"b\":222852386,\"c\":\"mindspark.magnify\",\"p\":\"L.0\"},{\"b\":222852387,\"c\":\"mindspark.entersearchterms\",\"p\":\"L.0.0[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.browser.version.last", "35.0");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.firstKnownVersion", "6.83.5.43463");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.homepage", "hxxp://home.tb.ask.com/index.jhtml?ptb=EA73DAF6-3E02-40F6-BCE0-D3C26624779E&n=780d1271&p2=^BBQ^xdm022^S11595^us&si=downspeedtest");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.initialized", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installKeysSource", "LocalStorage");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installType", "XPI");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.contextKey", "");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.installDate", "2014122609");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerId", "^BBQ^xdm022^S11595^us");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.partnerSubId", "downspeedtest");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.pixelUrl", "hxxp://free.internetspeedtracker.com/install_pixels.jhtml?partner=^BBQ^xdm022^S11595^us&sub_id=downspeedtest&coId=5b4bb0bcf[...]
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.success", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.installation.toolbarId", "EA73DAF6-3E02-40F6-BCE0-D3C26624779E");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.isCompliantUninstallImplementation", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastActivePing", "1423609524758");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.lastKnownVersion", "6.83.5.43463");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.defaultSearch", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.homePageEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.keywordEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.options.tabEnabled", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.partnerPixelFired", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.successUrl", "hxxp://downspeedtest.com/thankyou.php");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark._9tMembers_.toolbarCollapsed", false);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled", true);
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.hp.enabled.guid", "headlinealley@mindspark.com");
[8iaypztg.default] - Line Found : user_pref("extensions.toolbar.mindspark.lastInstalled", "internetspeedtracker@mindspark.com");
[8iaypztg.default] - Line Found : user_pref("keyword.URL", "hxxp://search.tb.ask.com/search/GGmain.jhtml?st=kwd&ptb=31DD1EBF-5999-4947-88E4-3A72E9134990&n=780ce777&ind=2014111607&p2=^Z5^xdm002^S10992^us&si=CKq4nO23gMICFasRMwod_RMAkA&s[...]

-\\ Google Chrome v40.0.2214.93

*************************

AdwCleaner[R0].txt - [26805 bytes] - [09/02/2015 03:17:09]
AdwCleaner[R1].txt - [26915 bytes] - [09/02/2015 15:35:30]
AdwCleaner[R2].txt - [2326 bytes] - [10/02/2015 16:54:29]
AdwCleaner[R3].txt - [2385 bytes] - [10/02/2015 16:58:45]
AdwCleaner[R4].txt - [1160 bytes] - [10/02/2015 18:00:21]
AdwCleaner[R5].txt - [1220 bytes] - [10/02/2015 18:04:03]
AdwCleaner[R6].txt - [10711 bytes] - [10/02/2015 18:06:08]
AdwCleaner[S0].txt - [27700 bytes] - [09/02/2015 15:37:18]
AdwCleaner[S1].txt - [2550 bytes] - [10/02/2015 17:58:23]

########## EOF - C:\AdwCleaner\AdwCleaner[R6].txt - [10890 bytes] ##########
 



#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 11 February 2015 - 02:59 AM

Could you explain what sort of pop-ups these are?

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .
  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 11 February 2015 - 02:07 PM

Thanks for your help.  I have run Emsisoft Emergency Kit and have pasted the log file below.  Note that it gave me a message saying that it could not remove the 'regwork' program (In C:\Program Files (x86)\regwork).  After running EEK I also ran AdwCleaner again and it still showed a few entries under Firefox.  So I manually removed the AddOns from Firefox.  After I used AdwCleaner one more time it no longer shows the errors in Firefox.  I am no longer seeing unexpected pop-ups when using Firefox. 
 
I ran EEK a second time with a full scan.  It still shows 'regwork' and it was still unable to remove it.  If possible, I would like to remove that 'regwork' program if that makes sense.  Also, are there any other programs that you recommend I run to check for other hidden problems?
 
Thanks again,
 
-yw
 
Emsisoft Emergency Kit - Version 9.0

Quarantine log

Date Source Event Detection

2/11/2015 10:22:48 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613} Moved to quarantine Application.AdGenie (A)

2/11/2015 10:22:44 AM C:\ProgramData\regwork Moved to quarantine Application.AppInstall (A)

2/11/2015 10:22:42 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\REGWORK Moved to quarantine Application.InstallAd (A)

2/11/2015 10:22:42 AM C:\Users\Beggs\AppData\Roaming\Mozilla\Firefox\Profiles\8iaypztg.default\Searchplugins\ask-web-search.xml Moved to quarantine Application.SearchPlug (A)

2/11/2015 10:22:41 AM C:\Program Files (x86)\DriverUpdate Moved to quarantine Application.InstallDrive (A)

2/11/2015 10:22:40 AM C:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverUpdate Moved to quarantine Application.InstallDrive (A)

2/11/2015 10:22:36 AM C:\Users\Beggs\AppData\Local\SlimWare Utilities Inc\DriverUpdate Moved to quarantine Application.InstallDrive (A)

2/11/2015 10:22:35 AM C:\Users\Public\Documents\Downloaded Installers\{CF516344-84E1-4420-BDAD-52E13F32D07E} Moved to quarantine Application.InstallDrive (A)

2/11/2015 10:22:34 AM C:\$Recycle.Bin\S-1-5-21-2835657335-1571383397-2689222736-1000\$RNEZZZN.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)


Sorry, but I had to split this post into two because I had "too many emoticons" in my post:

2/11/2015 10:22:34 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES, INC.\DRIVERAPP Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\SLIMWARE UTILITIES INC\DRIVERUPDATE Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CF516344-84E1-4420-BDAD-52E13F32D07E} Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM Key: HKEY_USERS\S-1-5-21-2835657335-1571383397-2689222736-1000\SOFTWARE\SLIMWARE UTILITIES INC\DRIVERUPDATE Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM C:\Windows\Tasks\DriverUpdate Scan.job Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM C:\Users\Public\Desktop\DriverUpdate.lnk Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:34 AM C:\Windows\Installer\{CF516344-84E1-4420-BDAD-52E13F32D07E} Moved to quarantine Application.InstallDrive (A)2/11/2015 10:22:33 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\youtubeadblocker\WaKrLjez7etI5b.dll.vir Moved to quarantine Gen:Variant.Adware.Zusy.121779 (B)2/11/2015 10:22:33 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\Vaudiix\Vaudiix.exe.vir Moved to quarantine Adware.Agent.PEM (B)2/11/2015 10:22:33 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\Vauddix\luw6r44Wn8p29v.exe.vir Moved to quarantine Adware.Agent.PEM (B)2/11/2015 10:22:33 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\Vauddix\luw6r44Wn8p29v.dll.vir Moved to quarantine Gen:Variant.Adware.Zusy.121779 (B)2/11/2015 10:22:33 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\TampaGeneration\TampaGeneration.dll.vir Moved to quarantine Trojan.Generic.12553161 (B)2/11/2015 10:22:32 AM C:\ProgramData\{8f1899d8-139a-0112-8f18-899d81396760}\Download.exe File locked, removal on next reboot Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:32 AM C:\ProgramData\{8eb7c66a-1c5a-8312-8eb7-7c66a1c519a8}\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:32 AM C:\ProgramData\{4093f88d-92c9-5cbb-4093-3f88d92ce236}\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:32 AM C:\Program Files (x86)\The Amazing Spiderman Movie Game\The Amazing Spiderman Movie Game.exe Moved to quarantine Adware.Agent.PEM (B)2/11/2015 10:22:32 AM C:\AdwCleaner\Quarantine\C\Program Files (x86)\youtubeadblocker\WaKrLjez7etI5b.exe.vir Moved to quarantine Adware.Agent.PEM (B)2/11/2015 10:22:31 AM C:\Users\Beggs\AppData\Local\Temp\321cdB1b\temp\putfu.xyz Moved to quarantine Gen:Variant.Adware.Mplug.26 (B)2/11/2015 10:22:31 AM C:\Users\Beggs\AppData\Local\Temp\321cdB1b\temp\hpds_setup.exe Moved to quarantine Application.MPlug (A)2/11/2015 10:22:31 AM C:\Users\Beggs\AppData\Local\Temp\321cdB1b\temp\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:31 AM C:\Users\Beggs\AppData\Local\Temp\10E8C8AcC.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:31 AM C:\ProgramData\{f35a0247-c9ff-1a85-f35a-a0247c9f091f}\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:30 AM C:\Users\Beggs\AppData\Local\Temp\b8294F7D28B\temp\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:30 AM C:\Users\Beggs\AppData\Local\Temp\Aee3398A6793.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:30 AM C:\Users\Beggs\AppData\Local\Temp\509010\temp\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:30 AM C:\Users\Beggs\AppData\Local\Temp\3e3A7\temp\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:30 AM C:\Users\Beggs\AppData\Local\Temp\321cdB1b\temp\VaudixIE_extension.exe Moved to quarantine Gen:Variant.Adware.MPlug.12 (B)
2/11/2015 10:22:29 AM C:\Users\Beggs\Contacts\Downloads\Download.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:29 AM C:\Users\Beggs\Contacts\Downloads\Download(1).exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:29 AM C:\Users\Beggs\AppData\Local\Temp\dde93.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)2/11/2015 10:22:29 AM C:\Users\Beggs\AppData\Local\Temp\Bb74316b.exe Moved to quarantine Gen:Variant.Adware.MPlug.29 (B)
2/11/2015 10:22:28 AM C:\Users\Beggs\Documents\Financial\Installation.exe Moved to quarantine Gen:Variant.Application.Bundler.Outbrowse.1 (B)


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 11 February 2015 - 03:56 PM

Strange, the log shows it as removed. Can you try to manually remove the folder if it is still there?

Unless you have any further problems, you should be good to go. :) There was no actual malware present, only adware/PUPs. As always, make sure you have an updated antivirus program running and keep windows and all your other software up to date. :)

Please read the following advice on how to prevent reinfecting your PC:
  • Install and update the following programs regularly:
  • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
    A comprehensive tutorial and a list of possible firewalls can be found here.
  • an AntiVirus Software
    It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
    Some more links you might find of interest:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 ytseschew

ytseschew
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 12 February 2015 - 04:02 PM

Elise, I have had no further problems.  I was able to remove regwork from "add remove programs".  I've updated Windows and other areas to the latest software.  Thank you so much for all of your help.  I really appreciate it.

 

-yt



#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,308 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 13 February 2015 - 03:04 AM

You're most welcome, happy computing! :thumbup2:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users