Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ran a bad installer, now my browsers have extensions that I can't get rid of.


  • Please log in to reply
7 replies to this topic

#1 AlexanderZero

AlexanderZero

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 14 June 2015 - 09:10 PM

Computer Info:

Windows 7: 64-bit

 

Hey guys. So the story starts with a friend of mine who I trust as far as computers are concerend. I ask him what program he uses to monitor his temps and its a tool called 'Core Temp' which perhaps was a good tool in the past. Since then, it seems like the developers have packaged viruses into their installer.

 

Here's the website. I don't recommend downloading anything:

http://www.alcpu.com/CoreTemp/

 

So I did download the installer and ran it. A bunch of optional bloatware came up, all of which I skipped. Even though I chose not to install it, it still installed a few programs which I didn't want. I removed those using "uninstall a program" from the control panel. However, now Chrome and Firefox have extensions that I can't get rid of. I haven't looked too extensively into the one with FireFox but the Chrome one has me stumped. Here's some pics for context.:

 

Chrome extension (Dealz):

aarFiBe.png

https://i.imgur.com/aarFiBe.png

 

 

Firefox extension (Urban ladder 0.2)

qeUzc7z.png

https://i.imgur.com/qeUzc7z.png

 

 

Ok, so here's everything that I have since done to try and get rid of the Chrome extension.

  • One of the programs I uninstalled via the control panel was called 'Dealz'
  • I deleted the corresponding folder to the extension ID from "C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Extensions"
    • It always comes back when I run Chrome
  • I also found and deleted two registry entries (one in HKEY_CURRENT_USER and one in HKEY_LOCAL_MACHINE) with the same extension ID in the area where those are kept for Chrome extension. These entries have not been put back into the registry.
  • I ran a scan with Microsoft Security Essentials, but it didn't find anything.
  • I did a system restore to a point yesterday, before I ran the bad installer. Nothing was changed.
  • I uninstalled and reinstalled chrome. The Dealz extension was still there.
  • I ran MalwareBytes anti-malware software. It found about 10 items and I fixed them all using the program.

 

In somewhat of desparation, I did a windows search on my C: drive for the keyword "Dealz"

Here is what came up:

1aHr13Y.png

https://i.imgur.com/1aHr13Y.png

 

The properties window:

yx9dFIv.png

https://i.imgur.com/yx9dFIv.png

 

The full highlighted text (visit at your own risk!)

http://sub.reichtron.com/pinger?event_type=offer_accepted&installer_source=tokyo-bidl&software_type=sponsored&muid=aa5e213367c7b29d58db610cdd22be6f&client_uid=44075CA514C14CEC8E64832543249CA4&uniqid=false&affiliate_id=coretemp10&software_id=coretemp10&sponsored_id=dealz&tokyo_csrf2_key=27d9abfa90e3a2919576b64365fba3d7&tokyo_csrf2_timestamp=1434311251&slot_number=1&index_in_screen=1&index_in_session=1&0.46489681658203285

I cannot see where on my hard drive these files are located. Nothing happens when I try to delete them.

 

So... I'm at the end of my wits here. Is there anybody that can help me out with this? I'd prefer not to format my PC if I don't have to.

 

 

 



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 14 June 2015 - 09:43 PM

Hello, and Welcome

 

Download and run Adwcleaner. It may take more than one run.



#3 AlexanderZero

AlexanderZero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 June 2015 - 12:31 AM

Hi,

 

I downloaded Adwcleaner and ran it. The first run turned up a few things and I had it clean all of them. Unfortunately, the Dealz extension is still coming back when I open Chrome. Adwcleaner doesn't detect anything new when I run it again.

Here's the log from running Adwcleaner:

 

 

# AdwCleaner v4.206 - Logfile created 14/06/2015 at 22:21:45
# Updated 01/06/2015 by Xplode
# Database : 2015-06-14.1 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Trevor - TREVOR-PC
# Running from : C:\Users\Trevor\Downloads\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Trevor\Documents\Updater

***** [ Scheduled tasks ] *****

Task Deleted : Winupdate
Task Deleted : EssentialUpdateMachine

***** [ Shortcuts ] *****


***** [ Registry ] *****

Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [1]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [2]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [3]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [4]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [6]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [7]
Value Deleted : HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist [8]
Data Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings [ProxyOverride] - *.

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17840


-\\ Mozilla Firefox v34.0.5 (x86 en-US)


-\\ Google Chrome v43.0.2357.124

[C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [1875 bytes] - [14/06/2015 22:20:29]
AdwCleaner[S0].txt - [1826 bytes] - [14/06/2015 22:21:45]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1885  bytes] ##########
 



#4 AlexanderZero

AlexanderZero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 June 2015 - 12:48 AM

Just another update on this. If I open chrome, shorty afterwards my internet connection is maxed out for bandwidth (about 12 Mb/s) and I can no longer use the internet on my PC. If I close chrome, I still have this problem and looked in the Task Manager at the networking tab, seeing it use 12% network utilization (out of 100 Mb/s). The only way to stop this is to restart my computer or I also can stop it by disabling my ethernet adapter and then re-enabling it.

 

EDIT: Actually I'm not so sure about this symptom. Seems like twitch.tv sucks up a ton of bandwidth even after you close your browser? Firefox had a similar issue where it took about a minute for the network utilization to go away after closing the browser. Although with chrome it seemingly lasted forever.

 

EDIT2: I was able to remove the firefox extension by deleting the file. Now the chrome extension is the only problem left.


Edited by AlexanderZero, 15 June 2015 - 04:55 AM.


#5 JohnC_21

JohnC_21

  • Members
  • 24,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 15 June 2015 - 09:34 AM

Run the Junkware Removal tool. Then do a scan with Hitman Pro. If those do not work then try resetting Chrome after backing up your bookmarks.

 

Edit: See this page. Do a search in the registry for the ID number of the extension.


Edited by JohnC_21, 15 June 2015 - 10:41 AM.


#6 AlexanderZero

AlexanderZero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 15 June 2015 - 08:17 PM

Hi again. both the Junkware removal tool and Hitman pro found and removed some items. However the extension is still reinstalling itself into chrome. I reset the settings but that didn't change it. I also deleted all registry entries with that ID and used the script from the page you linked to prevent new ones from coming into the registry.

 

Regardless, the extension is continuing to install itself into chrome. Once I manage to get rid of this thing I'll be seriously tempted to stop using chrome.

 

Here are the logs:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.9.7 (06.15.2015:1)
OS: Windows 7 Professional x64
Ran by Trevor on Mon 06/15/2015 at 17:44:54.35
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Tasks



~~~ Registry Values



~~~ Registry Keys



~~~ Files

Successfully deleted: [File] C:\Windows\system32\drivers\healusb.sys



~~~ Folders



~~~ Chrome


[C:\Users\Trevor\appdata\local\Google\Chrome\User Data\Default\Preferences] - default search provider reset

[C:\Users\Trevor\appdata\local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:

[C:\Users\Trevor\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset

[C:\Users\Trevor\appdata\local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 06/15/2015 at 17:46:39.51
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

HitmanPro:

 

HitmanPro 3.7.9.241
www.hitmanpro.com

   Computer name . . . . : TREVOR-PC
   Windows . . . . . . . : 6.1.1.7601.X64/4
   User name . . . . . . : Trevor-PC\Trevor
   UAC . . . . . . . . . : Enabled
   License . . . . . . . : Trial (31 days left)

   Scan date . . . . . . : 2015-06-15 17:48:55
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 3m 26s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 1
   Traces  . . . . . . . : 65

   Objects scanned . . . : 1,762,162
   Files scanned . . . . : 83,758
   Remnants scanned  . . : 469,638 files / 1,208,766 keys

Malware _____________________________________________________________________

   C:\Users\Trevor\AppData\Local\Temp\setup.exe -> Deleted
      Size . . . . . . . : 2,334,832 bytes
      Age  . . . . . . . : 1.2 days (2015-06-14 12:47:24)
      Entropy  . . . . . : 7.9
      SHA-256  . . . . . : 124793F8BA7EDAD26EC5DD03AF2E603AD1780A7C5F0A6EBB3DA07825C1BC4E55
      Product  . . . . . : Setup Factory Runtime
      Description  . . . : Setup Application
      Version  . . . . . : 9.0.3.0
      Copyright  . . . . : Setup Engine Copyright © 2004-2011 Indigo Rose Corporation
      RSA Key Size . . . : 1024
      LanguageID . . . . : 1033
      Authenticode . . . : Self-signed
    > Bitdefender  . . . : Trojan.Agent.BKKM
    > Kaspersky  . . . . : Trojan-Banker.Win32.Banbra.tfji
      Fuzzy  . . . . . . : 106.0
      Forensic Cluster
         -7.0s C:\ProgramData\Qualcomm\Icons\d488cd0d5d7d8444abda5f837f763ab2.png
         -6.7s C:\Users\Trevor\Desktop\Shortcuts\Core Temp.lnk
         -6.4s C:\ProgramData\Qualcomm\Icons\a636b433c8679d07620084a23393547e.png
         -5.6s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\History\Results\Resource\{B8F38C0C-35FB-4F99-838A-660CFD6EDF60}
         -5.3s C:\ProgramData\Qualcomm\Icons\9fedf068340c7f9d189d193d089dced2.png
         -4.8s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\62\A30FBFBAA17F01B2.dat
         -4.2s C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IZS3E9N5\ea69beaa0edd5e46889a239d3a454e25[1].htm
         -3.4s C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FDTHHAAB\ajax-bidl[1].htm
         -3.2s C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F1LCJXPE\tokyo_sprite_full[1].png
         -2.6s C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IZS3E9N5\setup[1].exe
          0.0s C:\Users\Trevor\AppData\Local\Temp\setup.exe
          1.1s C:\ProgramData\Qualcomm\Icons\2db1ea2e86e12095b140402d8a8c9df6.png
          1.5s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\1\63\506EB67B9525A967.dat
          1.5s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\1\77\6BC21561F626E3ED.dat
          2.3s C:\ProgramData\Qualcomm\Icons\cc8bcb1a0e1cea1b87fecea4419823f2.png
          2.3s C:\ProgramData\Qualcomm\Icons\2bfcb9707f9d6a705ad8fa3fa0510597.png
          2.3s C:\Windows\PolicyDefinitions\chrome.admx
          2.3s C:\Windows\PolicyDefinitions\en-US\chrome.adml
          2.3s C:\Windows\System32\GroupPolicy\Machine\
          2.3s C:\Windows\System32\GroupPolicy\Machine\Registry.pol
          2.3s C:\Windows\System32\GroupPolicy\Machine\comment.cmtx
          2.3s C:\Windows\System32\GroupPolicy\User\
          2.3s C:\Windows\System32\GroupPolicy\User\comment.cmtx
          2.4s C:\Windows\System32\GroupPolicy\User\Registry.pol
          2.4s C:\Windows\System32\GroupPolicy\gpt.ini
          2.4s C:\Windows\initcvtr.bat
          2.4s C:\Windows\mstdcvtr.bat
          2.4s C:\Windows\soxe
          2.4s C:\Windows\plofgye
          2.7s C:\ProgramData\Qualcomm\Icons\d806ec3492be16e01c5c30591d315fbf.png
          3.8s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\58\D7704DED6E4BC8B6.dat
          8.5s C:\Windows\FiddlerCore4.dll
          8.5s C:\Windows\wnavga.exe
          8.5s C:\Windows\cfsvc.exe
          8.5s C:\Windows\System32\cygwin.sys
          8.5s C:\Windows\zlib.dll
          8.5s C:\Windows\cygavb.exe
          8.5s C:\Windows\System32\ysxja.exe
          9.2s C:\Windows\default.cfg
          9.2s C:\Windows\Lists\
          9.2s C:\Windows\Lists\AllowCookies.txt
          9.2s C:\Windows\Lists\Bypass List.txt
          9.2s C:\Windows\Lists\Keyword list.txt
          9.2s C:\Windows\Lists\Kill Images.txt
          9.2s C:\Windows\Lists\MIME Fix List.txt
          9.2s C:\Windows\Lists\URL Alias List.txt
          9.2s C:\Windows\Lists\URL Killfile.txt
          9.4s C:\ProgramData\Qualcomm\Icons\5fd09a14e33f137e66bb8d868be4538f.png
         10.0s C:\ProgramData\Qualcomm\Icons\fa1a846fec5765639bff4a37e7cac115.png
         10.1s C:\Windows\memupdate.exe
         10.1s C:\Windows\wuappl.exe
         10.2s C:\ProgramData\ntuser.pol
         10.2s C:\Users\Trevor\ntuser.pol
         10.2s C:\ProgramData\Qualcomm\Icons\b33f27aa6aa98c871cb5fabb4e29d7ef.png
         10.8s C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\QIKJ399U.txt
         11.2s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\63\506EB67B9525A967.dat
         11.2s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\47\47877676906AEF1F.dat
         13.9s C:\ProgramData\Qualcomm\Icons\00b5f339213df7d64634dc1f68ff4fcc.png
         14.0s C:\Users\Trevor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F1LCJXPE\wpad[1].dat
         17.7s C:\ProgramData\Qualcomm\Icons\c077eebb16c750a37a88445119226df6.png
         18.6s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\87\8CA2E7DCF516331F.dat
         18.9s C:\ProgramData\Qualcomm\Icons\1455e8818d63ae9e012be57ff83309eb.png
         19.6s C:\ProgramData\Microsoft\Microsoft Antimalware\Scans\MetaStore\2\18\39F3A55A2E132682.dat
         20.0s C:\Users\Trevor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
         20.0s C:\Users\Trevor\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_BC00434159DAE8351451CCE9C748F5D7
         21.1s C:\Users\Trevor\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_79511D0A9DDCBC45920E2A295902B273
         21.1s C:\Users\Trevor\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D2B5168CDD0EBF4C0C8EA1C3A1FAE07F_79511D0A9DDCBC45920E2A295902B273


Suspicious files ____________________________________________________________

   C:\Users\Trevor\AppData\Local\Temp\~A7E.tmp
      Size . . . . . . . : 155,232 bytes
      Age  . . . . . . . : 60.9 days (2015-04-15 20:22:45)
      Entropy  . . . . . : 6.0
      SHA-256  . . . . . : 7B717FEA39CE416BDB5E30E6DE01053F6EA10912DD6DF3884838082711CCBA8A
      RSA Key Size . . . : 1024
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 35.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The hidden file attribute bit is set. This is not common to most programs.
         The file name extension of this program is not common.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.


Cookies _____________________________________________________________________

   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtech.de
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:adtechus.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:bs.serving-sys.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:mediaplex.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:ru4.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:serving-sys.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:smartadserver.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Trevor\AppData\Local\Google\Chrome\User Data\Default\Cookies:www.googleadservices.com
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\30TF5PDM.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\3I7CRHDR.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\4N20GJ4U.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\73YHYTNY.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\7VXPWGFX.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\89CFSK43.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\8YU0N8O5.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\A0Q9DPO3.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\AIEB9V4D.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\BQ81OKE3.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\CRA5N3SK.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\D6Z4KCBV.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\GQGAOCXQ.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\LGVDS8PA.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\LX30L52K.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\M0XUZJVY.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\O6DK8NQO.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\Q7BDPKCA.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\TDRMAHK3.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\UYM48FF0.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\VXSHDE14.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\WZVO4AYL.txt
   C:\Users\Trevor\AppData\Roaming\Microsoft\Windows\Cookies\ZLEBUUV0.txt
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:2o7.net
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ad.mlnadvertising.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:adlegend.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.2xbpub.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.creative-serving.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.mediade.sk
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.p161.net
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.pubmatic.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.servebom.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ads.stickyadstv.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:adtech.de
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:adtechus.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:advertising.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:at.atwola.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:atdmt.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:bs.serving-sys.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:casalemedia.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:doubleclick.net
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:googleadservices.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:media6degrees.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:mediaplex.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:revsci.net
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:ru4.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:serving-sys.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:smartadserver.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:stats.adotube.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:tacoda.at.atwola.com
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:track.adform.net
   C:\Users\Trevor\AppData\Roaming\Mozilla\Firefox\Profiles\oxanp48n.default\cookies.sqlite:tribalfusion.com



#7 JohnC_21

JohnC_21

  • Members
  • 24,417 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 16 June 2015 - 08:06 AM

I know this is kind of obvious but is there a Dealz item in the Add/Remove section of Control Panel?

 

Download and run AutoRuns and look for any suspicious startup items. Only check the item first to disable it. Then once you know that item was the problem go ahead and delete it.

 

If you cannot find anything in autoruns I would recommend you start a new thread in the Virus Removal Section then post the link to the thread here. See the sticky section of the Forum and post the appropriate logs.



#8 AlexanderZero

AlexanderZero
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 16 June 2015 - 06:58 PM

I didn't find anything suspicious. There was originally a Dealz item in the add/remove section of the control panel but I removed that a long time ago.

 

Anyways, I'll make a thread in the virus removal forum shortly.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users