Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Computer is Infected Esurf.biz


  • Please log in to reply
5 replies to this topic

#1 cartotech81

cartotech81

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 08 November 2015 - 04:54 PM

Hello all,

 

I have a Dell laptop running Windows 7 enterprise 64bit. When I open up firefox it automatically takes me to esurf.biz. I have disabled all add-ins, set my homepage to google.com and reset all setting in firefox and it still pops up with esurf.biz.

 

When I open up IE I used to get a popup that immediately popped up but now IE starts with esurf.biz and immediately changes to startnewtab.com

 

I have ran rkill, malware bytes, super antispyware, and adw cleaner and still getting the same results.

 

Please let me know what to do and I will respond quickly with results.



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 AM

Posted 08 November 2015 - 05:36 PM

Give Emsisoft a shot at removing the adware. Check the log for AdwCleaner to see if it cleaned up the browser shortcuts. If not,

Delete all of the browser shortcuts on the desktop, task bar, start menu and recreate a shortcut for each browser.

 

Download Emsisoft Emergency Kit and save it to your desktop. Double click on EmsisoftEmergencyKit.exe to extract its contents and create a shortcut on the desktop. Leave all settings as they are and click  Accept & Extract. A folder named EEK will be created in the root of the drive (usually c:\). .

  • After extraction an Emsisoft Emergency Kit window will open. Under "Run Directly:" click Emergency Kit Scanner.
  • When asked to run an online update, click Yes.
  • When the update is finished, click the Back to Security Status link in the left corner. On the main screen click the Scan Now button.
  • Select the Full Scan option and click the SCAN button.
  • When the scan is finished click the Quarantine selected objects button. Note, this option is only available if malicious objects were detected during the scan.
  • Click the View Report button and in the Reports window double-click on the most recent log. Note, logs are named as follows: a2scan_<date>-<time>.txt.
  • Copy/paste the report contents in your next reply.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Post the three lists mentioned below using CCleaner.

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.

 

Open CCleaner and click on Tools. Choose Uninstall. On that page you will see a list of programs installed on your computer and at the bottom right of that page you

will see a button when clicked will allow you to Copy and Paste that list in your next post. Please do that.


Edited by buddy215, 08 November 2015 - 05:37 PM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 cartotech81

cartotech81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 08 November 2015 - 10:06 PM

Sorry for the delay EEK took awhile to run.   Below are my scans.

 

Emsisoft Emergency Kit - Version 10.0
Last update: 11/8/2015 7:28:21 PM
User account: CEHPNBCQB6Z12\amy
 
Scan settings:
 
Scan type: Custom Scan
Objects: Rootkits, Memory, Traces, C:\
 
Detect PUPs: On
Scan archives: On
ADS Scan: On
File extension filter: Off
Advanced caching: On
Direct disk access: On
 
Scan start: 11/8/2015 7:29:12 PM
Key: HKEY_USERS\S-1-5-21-1701613839-3881220779-1082123500-1000\SOFTWARE\CLASSES\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326} detected: Application.Toolbar (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NORUN detected: Setting.NoRun (A)
Value: HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER -> NOFOLDEROPTIONS detected: Setting.NoFolderOptions (A)
C:\Users\amy\Desktop\pht0ShopCC1522Win32\Crack\adobe.snr.patch-painter\adobe.snr.patch-painter.exe detected: Riskware.Win32.CrackTool (A)
C:\Users\amy\Desktop\pht0ShopCC1522Win32\pht0ShopCC1522Win32\Crack\adobe.snr.patch-painter\adobe.snr.patch-painter.exe detected: Riskware.Win32.CrackTool (A)
C:\Users\amy\Downloads\ADOBE_CC_V2014_KEYGEN_WIN_MACOSX-XFORCE.rar -> ADOBE_CC_V2014_KEYGEN_WIN_MACOSX-XFORCE\xacc2014.zip -> xfacc2014.rar -> Crack-OSX\xf-accm2014.dmg detected: Application.MAC.OSX.Keygen.G (B)
C:\Windows\AGMSupport\EnPasFltV2\Source\Installer.exe detected: Gen:Variant.Kazy.276109 (B)
 
Scanned 537859
Found 9
 
Scan end: 11/8/2015 8:41:54 PM
Scan time: 1:12:42
 
JRT
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 7.6.4 (09.28.2015:1)
OS: Windows 7 Enterprise x64
Ran by amy on Sun 11/08/2015 at 20:46:18.79
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
~~~ Services
 
 
 
~~~ Tasks
 
 
 
~~~ Registry Values
 
 
 
~~~ Registry Keys
 
 
 
~~~ Files
 
 
 
~~~ Folders
 
 
 
~~~ Chrome
 
 
[C:\Users\amy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - default search provider reset
 
[C:\Users\amy\Appdata\Local\Google\Chrome\User Data\Default\Preferences] - Extensions Deleted:
 
[C:\Users\amy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - default search provider reset
 
[C:\Users\amy\Appdata\Local\Google\Chrome\User Data\Default\Secure Preferences] - Extensions Deleted:
[]
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 11/08/2015 at 20:50:11.55
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
CCleaner Startup
Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Spotify Spotify Ltd "C:\Users\amy\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
Yes HKCU:Run Spotify Web Helper Spotify Ltd "C:\Users\amy\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes HKCU:Run Steam Valve Corporation "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes HKCU:Run SUPERAntiSpyware SUPERAntiSpyware C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
Yes HKLM:Run Acrobat Assistant 8.0 Adobe Systems Inc. "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run Adobe Creative Cloud Adobe Systems Incorporated "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
Yes HKLM:Run AdobeAAMUpdater-1.0 Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
Yes HKLM:Run Apoint Alps Electric Co., Ltd. C:\Program Files\DellTPad\Apoint.exe
Yes HKLM:Run AWiCDiag Qualcomm Atheros Inc. "C:\Program Files (x86)\Dell\Dell Unified Wireless Suite\ihvs\AWiCDiag.exe"
Yes HKLM:Run AWiCMgr Qualcomm Atheros Inc. "C:\Program Files (x86)\Dell\Dell Unified Wireless Suite\AWiC\AWiCMgr.exe"
Yes HKLM:Run HotKeysCmds Intel Corporation C:\windows\system32\hkcmd.exe
Yes HKLM:Run IgfxTray Intel Corporation C:\windows\system32\igfxtray.exe
Yes HKLM:Run McAfeeUpdaterUI McAfee, Inc. "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
Yes HKLM:Run Persistence Intel Corporation C:\windows\system32\igfxpers.exe
Yes HKLM:Run RtHDVBg Realtek Semiconductor C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /MAXX4P1 
Yes HKLM:Run RtHDVBg_PushButton Realtek Semiconductor C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe /IM
Yes HKLM:Run RtHDVCpl Realtek Semiconductor C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe /s
Yes HKLM:Run ShStatEXE McAfee, Inc. "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
Yes HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Yes HKLM:Run WavesSvc Waves Audio Ltd. C:\Program Files\Realtek\Audio\HDA\WavesSvc64.exe
Yes HKLM:Run wcct Qualcomm Atheros Inc. "C:\Program Files (x86)\Dell\Dell Unified Wireless Suite\wcct.exe" quiet
Yes Startup User Adobe Universal Patcher (Latest CC 2014) is Here !!!.lnk C:\ProgramData\{b2be61f8-3536-29a8-b2be-e61f835387e0}\Adobe Universal Patcher (Latest CC 2014) is Here !!!.exe
 
CCLEANER INSTALL
 
7-Zip 9.20 2/7/2015
7-Zip 9.38 (x64 edition) Igor Pavlov 2/25/2015 4.66 MB 9.38.00.0
Adobe Acrobat XI Pro Adobe Systems 11/2/2015 2.26 GB 11.0.07
Adobe Creative Cloud Adobe Systems Incorporated 10/28/2015 337 MB 3.3.0.151
Adobe Flash Player 19 ActiveX Adobe Systems Incorporated 10/24/2015 3.43 MB 19.0.0.226
Adobe Flash Player 19 NPAPI Adobe Systems Incorporated 10/26/2015 3.81 MB 19.0.0.226
Adobe Reader X (10.1.5) MUI Adobe Systems Incorporated 9/18/2014 486 MB 10.1.5
Adobe Shockwave Player 11.6 Adobe Systems, Inc. 9/18/2014 11.6.8.638
ArcGIS Desktop 10 Environmental Systems Research Institute, Inc. 10/14/2015 10.0.2414
ArcGIS Editor for OpenStreetMap ESRI 10/15/2015 71.2 MB 2.0.95
ARK: Survival Evolved Studio Wildcard 10/30/2015
Besiege Spiderling Studios 10/30/2015
CCleaner Piriform 11/8/2015 5.11
Dell Touchpad ALPS ELECTRIC CO., LTD. 9/18/2014 8.1200.101.127
Dell Unified Wireless Suite 12/15/2014
Dell Unified Wireless Suite Dell 12/15/2014 1.00.0000
Dota 2 Valve 10/31/2015
FileZilla Client 3.14.0 Tim Kosse 9/21/2015 22.0 MB 3.14.0
GeoServer 2.8.0 10/16/2015
Google Chrome Google Inc. 3/20/2015 46.0.2490.80
Heroes of Might & Magic III - HD Edition DotEmu 10/4/2015
IBM Lotus Forms Viewer 3.5.1 IBM 11/2/2015 120 MB 7.6.1.333
Intel® Processor Graphics Intel Corporation 7/31/2014 9.18.10.3071
Java 8 Update 65 Oracle Corporation 11/5/2015 21.0 MB 8.0.650.17
Malwarebytes Anti-Malware version 2.2.0.1024 Malwarebytes 10/15/2015 66.0 MB 2.2.0.1024
McAfee Agent McAfee, Inc. 9/18/2014 21.3 MB 4.5.0.1810
McAfee VirusScan Enterprise McAfee, Inc. 9/18/2014 48.8 MB 8.8.02004
Microsoft .NET Framework 4.5.1 Microsoft Corporation 12/17/2014 38.8 MB 4.5.50938
Microsoft Office Professional Plus 2007 Microsoft Corporation 9/18/2014 12.0.6612.1000
Microsoft S/MIME Microsoft Corporation 8/8/2015 648 KB 14.3.123.2
Microsoft Silverlight Microsoft Corporation 1/14/2013 50.6 MB 5.1.10411.0
Microsoft SQL Server 2008 Native Client Microsoft Corporation 10/14/2015 6.10 MB 10.1.2531.0
Microsoft Visio Viewer 2010 Microsoft Corporation 9/18/2014 21.0 MB 14.0.6029.1000
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 Microsoft Corporation 12/15/2014 788 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 Microsoft Corporation 12/15/2014 594 KB 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 Microsoft Corporation 2/25/2015 600 KB 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 Microsoft Corporation 10/30/2015 15.3 MB 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 Microsoft Corporation 10/30/2015 15.0 MB 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 Microsoft Corporation 10/26/2015 20.5 MB 11.0.61030.0
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030 Microsoft Corporation 10/26/2015 17.3 MB 11.0.61030.0
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 Microsoft Corporation 10/30/2015 20.5 MB 12.0.30501.0
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 Microsoft Corporation 10/30/2015 17.1 MB 12.0.30501.0
Might & Magic Heroes VII Limbic Entertainment 10/4/2015
Might & Magic: Heroes VI Blackhole 9/26/2015
Mozilla Firefox 41.0.2 (x86 en-US) Mozilla 10/25/2015 86.0 MB 41.0.2
Mozilla Maintenance Service Mozilla 10/25/2015 214 KB 41.0.2.5765
MSXML 4.0 SP3 Parser (KB2758694) Microsoft Corporation 1/15/2013 1.54 MB 4.30.2117.0
NETCOM Logoff Banner United States Army 9/18/2014 32.5 MB 1.1.0
NETCOM Logon Banner United States Army 2/19/2013 260 KB 1.0.2
QGIS Wien 2.8.1 Wien QGIS Development Team 10/15/2015
Realtek Audio COM Components Realtek Semiconductor Corp. 9/18/2014 599 KB 1.0.2
Realtek High Definition Audio Driver Realtek Semiconductor Corp. 9/18/2014 6.0.1.5956
Sid Meier's Civilization V 2K Games, Inc. 10/24/2015
Sid Meier's Civilization: Beyond Earth Firaxis Games 10/25/2015
Spotify Spotify AB 10/26/2015 1.0.16.104.g3b776c9e
Steam Valve Corporation 9/26/2015 2.10.91.91
SUPERAntiSpyware SUPERAntiSpyware.com 10/15/2015 55.6 MB 6.0.1206
The Elder Scrolls V: Skyrim Bethesda Game Studios 10/29/2015
The Evil Within Tango Gameworks 10/25/2015
TileMill 0.10.1 MapBox 10/16/2015 0.10.1
Ubisoft Game Launcher UBISOFT 9/27/2015 1.0.0.0
Ultimate Maps Downloader UMD 10/15/2015 51.0 MB 4.5.0
Uplay Ubisoft 9/27/2015 10.0
Ventrilo Client for Windows x64 Flagship Industries, Inc. 10/26/2015 6.66 MB 3.0.8.0
Ventrilo Server Flagship Industries, Inc. 10/26/2015 468 KB 3.0.3
VLC media player VideoLAN 10/30/2015 2.2.1
Wargame: AirLand Battle Eugen Systems 11/3/2015
 
 


#4 buddy215

buddy215

  • Moderator
  • 13,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 AM

Posted 09 November 2015 - 06:38 AM

Emsisoft's log doesn't show that you allowed it to delete/ quarantine what it found. You will need to rerun it.

QUOTE: When the scan is finished click the Quarantine selected objects button.

 

What about the browser(s) shortcuts? Did you need to delete them after checking AdwCleaner's log? You can find the logfile at C:\AdwCleaner[S1].txt

 

The list of Scheduled Tasks is missing....were there any Scheduled Tasks listed in CCleaner?


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 buddy215

buddy215

  • Moderator
  • 13,256 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:50 AM

Posted 09 November 2015 - 06:54 AM

Disable these Windows Startups: Use CCleaner by clicking on each item and then choose Disable on the right

Yes HKCU:Run CCleaner Monitoring Piriform Ltd "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR
Yes HKCU:Run Spotify Spotify Ltd "C:\Users\amy\AppData\Roaming\Spotify\Spotify.exe" -autostart -minimized
Yes HKCU:Run Spotify Web Helper Spotify Ltd "C:\Users\amy\AppData\Roaming\Spotify\SpotifyWebHelper.exe"
Yes HKCU:Run Steam Valve Corporation "C:\Program Files (x86)\Steam\steam.exe" -silent
Yes HKLM:Run Acrobat Assistant 8.0 Adobe Systems Inc. "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
Yes HKLM:Run Adobe ARM Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Yes HKLM:Run Adobe Creative Cloud Adobe Systems Incorporated "C:\Program Files (x86)\Adobe\Adobe Creative Cloud\ACC\Creative Cloud.exe" --showwindow=false --onOSstartup=true
Yes HKLM:Run AdobeAAMUpdater-1.0 Adobe Systems Incorporated "C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"

Yes HKLM:Run IgfxTray Intel Corporation C:\windows\system32\igfxtray.exe

Yes HKLM:Run SunJavaUpdateSched Oracle Corporation "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"

Yes Startup User Adobe Universal Patcher (Latest CC 2014) is Here !!!.lnk C:\ProgramData\{b2be61f8-3536-29a8-b2be-e61f835387e0}\Adobe Universal Patcher (Latest CC 2014) is Here !!!.exe

 

Uninstall or Update these programs:

Adobe Reader X (10.1.5) MUI Adobe Systems Incorporated 9/18/2014 486 MB 10.1.5
Adobe Shockwave Player 11.6 Adobe Systems, Inc. 9/18/2014 11.6.8.638

Microsoft Silverlight Microsoft Corporation 1/14/2013 50.6 MB 5.1.10411.0

 

Is McAfee up to date or have you stopped updating it and paying to use it? If it is not up to date then I suggest you

uninstall it using McAfee Removal Tool - McAfee Uninstaller


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#6 cartotech81

cartotech81
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:05:50 AM

Posted 22 November 2015 - 08:39 PM

Sorry about the delay. Got busy with work and other things. I did everything that was suggested and the issue was fixed and the system is running smoothly.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users