Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suchhappy redirect virus, and getprivate shopper, 7 Pro x64, Firefox


  • Please log in to reply
13 replies to this topic

#1 mrgood

mrgood

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 27 April 2015 - 05:18 PM

I have Microsoft Security Essentials and Windows Firewall.

 

Malwarebytes and HitmanPro have also been unable to find the problem.

 

 



BC AdBot (Login to Remove)

 


m

#2 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 27 April 2015 - 05:30 PM

Hello, and :welcome: to BC.

Please follow the instructions below. If you do not understand anything, feel free to stop and ask.

Security Check by screen317
  • Download Security Check by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt. Please copy and paste the contents of the log in your next reply.

===

AdwCleaner by Xplode
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on I agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, ensure that all items are checked and click on the Cleaning button.
  • AdwCleaner will asks to reboot to finish cleaning.
  • A log will open when the system finishes rebooting. Please copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
===

Junkware Removal Tool
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
===

ESET Online Scanner

You will need to use Internet Explorer for this scan.
  • Hold down Ctrl and click here to open ESET Online Scanner in a new window.
  • Click the ESET Online Scanner button.
  • Put a checkmark in "YES, I accept the Terms of Use."
  • Click Start.
  • Accept any security warnings from your browser.
  • Under Scan settings, put a checkmark in Scan Archives.
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click Scan.
  • ESET Online Scanner will automatically update and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats.
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Please report on the status of your computer after you have finished the steps.

Regards,
Alex

#3 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 27 April 2015 - 08:24 PM

Thank you so much!

 

Unfortunately, after those steps, the GetPrivate Shopper popups still appear and had a redirect to suchhappy again.

 

Here are the logs.

 

Security Check screen117

 

Results of screen317's Security Check version 1.00  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Microsoft Security Essentials   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 40  
 Adobe Flash Player 17.0.0.169  
 Adobe Reader XI  
 Mozilla Firefox (37.0.2)
 Google Chrome (41.0.2272.118)
 Google Chrome (42.0.2311.90)
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe
 Microsoft Security Essentials msseces.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
 

 

Adware Cleaner Xplode (this is the S1 log)

 

# AdwCleaner v4.202 - Logfile created 27/04/2015 at 18:52:06
# Updated 23/04/2015 by Xplode
# Database : 2015-04-27.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Owner - OWNER-PC
# Running from : C:\Users\Owner\Desktop\adwcleaner_4.202.exe
# Option : Cleaning

***** [ Services ] *****

[#] Service Deleted : CouponPrinterService
[#] Service Deleted : YahooAUService

***** [ Files / Folders ] *****

Folder Deleted : C:\Program Files (x86)\Coupons

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17728


-\\ Mozilla Firefox v37.0.2 (x86 en-US)


-\\ Google Chrome v42.0.2311.90


-\\ Opera v0.0.0.0


*************************

AdwCleaner[R0].txt - [6015 bytes] - [27/04/2015 11:25:16]
AdwCleaner[R1].txt - [1105 bytes] - [27/04/2015 18:05:54]
AdwCleaner[R2].txt - [1162 bytes] - [27/04/2015 18:50:53]
AdwCleaner[S0].txt - [5780 bytes] - [27/04/2015 11:27:12]
AdwCleaner[S1].txt - [1055 bytes] - [27/04/2015 18:52:06]

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1114  bytes] ##########

 

 

Junkware Removal Log

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.6.5 (04.27.2015:1)
OS: Windows 7 Professional x64
Ran by Owner on Mon 04/27/2015 at 19:01:29.71
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\Windows\couponprinter.ocx



~~~ Folders



~~~ FireFox

Emptied folder: C:\Users\Owner\AppData\Roaming\mozilla\firefox\profiles\3gsb9qnx.default\minidumps [5 files]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 04/27/2015 at 19:03:19.38
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


 

ESET Online Scanner Log

 

C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Roaming\Booster-Web\Booster-Web-Installer.exe.vir    Win32/SmootherWeb.C potentially unwanted application    deleted - quarantined
C:\AdwCleaner\Quarantine\C\Users\Owner\AppData\Roaming\Booster-Web\jid1-U7omKQ6kQfxMaQ@jetpack.zip.vir    Win32/SmootherWeb.C potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Safesoft Protector\ssff.exe    a variant of Win32/Techsnab.H potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Safesoft Protector\ssweb.dll    a variant of Win32/Techsnab.H potentially unwanted application    deleted - quarantined
C:\Program Files (x86)\Safesoft Protector\sswworker.exe    a variant of Win32/Techsnab.H potentially unwanted application    deleted - quarantined
C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WW1SFS6H\adobe_flash_setup[1].exe    a variant of Win32/InstallCore.ST potentially unwanted application    deleted - quarantined
C:\Users\Owner\AppData\Local\Temp\1BCF.tmp.exe    a variant of Win32/Techsnab.A potentially unwanted application    deleted - quarantined
C:\Users\Owner\AppData\Local\Temp\5748.tmp.exe    a variant of Win32/Techsnab.A potentially unwanted application    deleted - quarantined
C:\Users\Owner\AppData\Local\Temp\8B63E911-E59C-7F89-951C-8F1AF69A86E7.exe    a variant of Win32/Adware.AddLyrics.DR application    cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\nsi9AD0.tmp    Win32/Adware.ConvertAd.AQ application    cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\nskC942.tmp    Win32/Adware.ConvertAd.AQ application    cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\nsp8891.tmp    Win32/Adware.ConvertAd.AQ application    cleaned by deleting - quarantined
C:\Users\Owner\AppData\Local\Temp\nsu2852.tmp    multiple threats    cleaned by deleting - quarantined
C:\Users\Owner\Downloads\Adobe.Acrobat.XI.Pro.v11.0.2.Multilingual.Cracked.exe    a variant of Win32/Techsnab.G potentially unwanted application    deleted - quarantined
 


Edited by mrgood, 27 April 2015 - 09:50 PM.


#4 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 12:50 AM

Thank you for the log.

Malwarebytes Anti-Malware

Download Malwarebytes Anti-Malware from here.

Double click on the file mbam-setup-2.x.x.xxxx.exe to install the application. (x.x.xxxx is the version)
  • Follow the prompt. At the end place a checkmark in Launch Malwarebytes Anti-Malware, then choose Finish.
  • When MBAM opens it will says Your database is out of date. Choose Fix Now.
  • Click on the Scan tab at the top of the window, choose Threat Scan, then Scan Now.
  • If you receive a message that updates are available, choose Update Now button (the scan will start after updates are completed).
  • Please be patient as the scan will take some time.
  • If MBAM detected threats, choose Quarantine for all items, then click Apply Actions.
  • While still on the Scan tab, choose View detailed log. In the window that opens, click the Export button, choose Text file (*.txt) and save the log to your Desktop.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


===

Emsisoft Emergency Kit

Please download Emsisoft Emergency Kit and save it to your desktop. Double click on the EmsisoftEmergencyKit file you downloaded to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click the Extract button at the bottom. A folder named EEK will be created in the root of the drive (usually c:\).
  • After extraction please double-click on the new Start Emsisoft Emergency Kit icon on your desktop.
  • The first time you launch it, Emsisoft Emergency Kit will recommend that you allow it to download updates. Please click Yes so that it downloads the latest database updates.
  • When the update process is complete, a new button will appear in the lower-left corner that says Back. Click on this button to return to the Overview screen.
  • Click on Scan to be taken to the scan options. If you are asked if you want the scanner to scan for Potentially Unwanted Programs, then click Yes.
  • Click on the Full Scan button to start the scan.
  • When the scan is completed click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • When the threats have been quarantined, click the View report button in the lower-right corner, and the scan log will be opened in Notepad.
  • Please save the log in Notepad on your desktop, and attach it to your next reply.
  • When you close Emsisoft Emergency Kit, it will give you an option to sign up for a newsletter. This is optional, and is not necessary for the malware removal process.
===

Reset your browsers using instructions from here.

How is the computer now?

Regards,
Alex

#5 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 28 April 2015 - 11:35 AM

Thank you for your continued help.

 

Unfortunately, I still have the problem. Here are the logs:

 

Malwarebytes

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 4/28/2015
Scan Time: 12:21:45 PM
Logfile: mbamlog.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.04.28.04
Rootkit Database: v2015.04.21.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Owner

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 333939
Time Elapsed: 6 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

 

Emisoft

 

Emsisoft Emergency Kit - Version 9.0
Last update: 4/28/2015 10:38:48 AM
User account: Owner-PC\Owner

Scan settings:

Scan type: Full Scan
Objects: Rootkits, Memory, Traces, C:\

Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: Off

Scan start:    4/28/2015 10:40:21 AM
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN     detected: Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN.1     detected: Application.AdReg (A)
C:\AdwCleaner\Quarantine\C\Program Files (x86)\PrivateVPN\gpup.exe.vir     detected: Trojan.Generic.13012522 (B)

Scanned    218665
Found    3

Scan end:    4/28/2015 11:17:08 AM
Scan time:    0:36:47

C:\AdwCleaner\Quarantine\C\Program Files (x86)\PrivateVPN\gpup.exe.vir    Quarantined Trojan.Generic.13012522 (B)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN.1    Quarantined Application.AdReg (A)
Key: HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\YT.YTNAVASSISTPLUGIN    Quarantined Application.AdReg (A)

Quarantined    3
 

 

NOTE: I did run a Malwarebytes scan before the Emisoft, but I had forgotten to write a log. But the first log showed no threats.

 

The browsers have been reset.



#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 12:18 PM

Hello there,

Is the ads affecting only one browser, or all browsers?

Do you have any other devices connected to the same network?

#7 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 28 April 2015 - 01:13 PM

Thanks!

 

It only seems to be affecting Firefox.

 

The ads and redirecting don't seem to occur on IE or Chrome. I rarely use them, though, but I checked now just to make sure.

 

There are other computers on the network, not sure if they have the issue, or what browser they use.



#8 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 01:27 PM

There are a few more things that we could try.

Install CCleaner from here, then use it to clean your temporary files. Once you are done, check Firefox again and see if the problem persists.

Regards,
Alex

#9 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 28 April 2015 - 02:01 PM

I tried the CCleaner, and the redirect and popups still appear :(

 

Should I uninstall and reinstall Firefox? That seems to be the way to go.



#10 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 03:30 PM

This seems to be quite a stubborn infection, and will need further intervention by a member of the Malware Response Team. I'm sorry I cannot help you further.

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

When you have finished posting your log, please reply here with a link to the topic so this can be closed.

Regards,
Alex

#11 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 28 April 2015 - 04:06 PM

Thank you so much for your help. You're awesome!

 

I uninstalled and then reinstalled Firefox, and it seems to be gone!!

 

:bananas: :bounce: :love4u: :warrior: :flowers:



#12 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 04:17 PM

Glad to hear you sorted it out.

Please run the below tool to remove the tools we have used and their logs.

DelFix by Xplode

bwebb7v.jpgDownload Delfix from here and save it to your desktop.
  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click the Run button.
When the tool is finished, a log will open in notepad. Please copy and paste the log in your next reply.

You can uninstall ESET Online Scanner manually from Programs And Features if you have it installed.

Be safe!

Regards,
Alex

#13 mrgood

mrgood
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:23 AM

Posted 28 April 2015 - 05:02 PM

Here is my Delfix log

 

# Updated 26/04/2015 by Xplode
# Username : Owner - OWNER-PC
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\AdwCleaner
Deleted : C:\RegBackup
Deleted : C:\Users\Owner\Desktop\rkill
Deleted : C:\TDSSKiller.3.0.0.44_26.04.2015_20.41.24_log.txt
Deleted : C:\Users\Owner\Desktop\adwcleaner_4.202.exe
Deleted : C:\Users\Owner\Desktop\JRT.exe
Deleted : C:\Users\Owner\Desktop\JRT.txt
Deleted : C:\Users\Owner\Desktop\Rkill.txt
Deleted : C:\Users\Owner\Desktop\SecurityCheck.exe
Deleted : C:\Users\Owner\Downloads\adwcleaner_4.109.exe
Deleted : C:\Users\Owner\Downloads\adwcleaner_4.202(1).exe
Deleted : C:\Users\Owner\Downloads\adwcleaner_4.202.exe
Deleted : C:\Users\Owner\Downloads\JRT.exe
Deleted : C:\Users\Owner\Downloads\HijackThis.exe
Deleted : C:\Users\Owner\Downloads\hijackthis.log
Deleted : C:\Users\Owner\Downloads\rkill.exe
Deleted : C:\Users\Owner\Downloads\SecurityCheck.exe
Deleted : C:\Users\Owner\Downloads\tdsskiller.exe
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #65 [Windows Update | 04/15/2015 18:04:58]
Deleted : RP #66 [Windows Update | 04/16/2015 03:52:21]
Deleted : RP #67 [Windows Update | 04/20/2015 22:39:28]
Deleted : RP #68 [Windows Update | 04/26/2015 14:46:42]
Deleted : RP #69 [Checkpoint by HitmanPro | 04/27/2015 02:37:05]
Deleted : RP #70 [Checkpoint by HitmanPro | 04/27/2015 02:40:24]
Deleted : RP #71 [Checkpoint by HitmanPro | 04/27/2015 02:47:00]
Deleted : RP #72 [Checkpoint by HitmanPro | 04/27/2015 21:56:46]
Deleted : RP #73 [Checkpoint by HitmanPro | 04/27/2015 21:57:39]

New restore point created !

########## - EOF - ##########
 



#14 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:23 AM

Posted 28 April 2015 - 05:07 PM

You are good to go :thumbup2:

Please read this for information on how to keep your computer secure: Simple ways to keep your computer safe and secure online

Best of luck to you :)

Regards,
Alex




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users