Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help


  • This topic is locked This topic is locked
19 replies to this topic

#1 Capnsparrow23

Capnsparrow23

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 23 June 2016 - 10:10 PM

Chrome keeps redirecting me to PC keeper, Vira cure and other jenky AV pages when I try to log in to livefyre, here, and imgur. I have run mbam (all of their tools) rkill and hitman pro  and windows reair from tweking dot com I give up now and ask for help with this damned problem



BC AdBot (Login to Remove)

 


#2 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 June 2016 - 02:51 AM

I am sorry I forgot to paste the FRST logs. here they are

Attached Files



#3 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 25 June 2016 - 08:58 AM

Hello Capnsparrow23 and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

===================================================

Uninstall programs

Please uninstall this program:

Hola™ 1.14.222 - Better Internet

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Download zoek.exe to your Desktop:

Important: Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications here.

  • on Windows Vista, 7/8/10, right-click Zoek.exe and select: Run as Administrator
  • give it a few seconds to appear
  • copy/paste the entire script inside the codebox below into the input field of Zoek:
    createsrpoint;
    autoclean;
    emptyclsid;
    emptyffcache;
    FFdefaults;
    emptyiecache;
    iedefaults;
    emptychrcache;
    CHRdefaults;
    emptyalltemp;
    emptyfolderscheck;delete
    ipconfig /flushdns;b
    
  • close any open programs.
  • click the Run script button, and wait. It takes a few minutes to run.
  • when the tool finishes, the zoek-results.log is opened in Notepad: the log can also be found on the systemdrive, normally C:\
  • if a reboot is needed, the log will be opened after the reboot.

Logs to include with next post:

AdwCleaner log
JRT.txt
zoek-results.log


Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#4 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 June 2016 - 10:34 AM

Hi Satchfan and thankyou for the faster than expected response. I am beginning the steps now.



#5 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 25 June 2016 - 10:44 AM

:thumbup2:

 

I'm off out now to watch football, (Wales vs N. Ireland), so won't reply until later.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#6 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 June 2016 - 12:03 PM

Have fun at the game and I hope whichever team you like wins. Here are the files you asked for. Ill check back later. Hola is a program I use daily is there a better alternative? I know people that use Zenmaster but i dont seem to be able to make it work for me.

Attached Files



#7 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 25 June 2016 - 02:57 PM

Have fun at the game and I hope whichever team you like wins.

Hm - wasn't really the result I wanted but not too bothered.

 

 

The scans cleared up some things but there are still some issues.

Chrome is a total nuisance and we have countless problems with it. I think that uninstalling the wretched program may the best answer. You cannot remove some Chrome problems except with an uninstall/re-install of Chrome, (even though Google have been aware of this since 2008 and haven't bothered to do anything about it).

Uninstall/Reinstall Google Chrome

First save all your bookmarks/favourites.

  • open Chrome, click on the 3 bars in the top right hand corner, select Bookmarks and then Bookmarks Manager
  • click on Organise and then select Export Bookmarks to HTML file, then choose Desktop to save it
  • again, click on the three bars in the top right hand corner and select Settings
  • in the list of Settings under “Sign in” click on Disconnect your Google Account – (if “Disconnect your Google Account” is not there, you will have to sign in using your Chrome username and password first to make it visible)
  • in the text of the next window click on “Google Dashboard” then, at the “Chrome sync” screen, click on Stop and Clear at the bottom
  • a box will open and ask for confirmation, click on OK (wait for this to complete before doing the next step)
  • when confirmation appears close that page and then click on Disconnect account
  • shut Google Chrome, click on Start > Control Panel > Programs and Features (or Add/Remove Programs in XP) and uninstall Google Chrome. Select Everything for removal if asked.

Reboot the system and then reinstall Google Chrome from here

Repeat the process to reinstate your bookmarks by going to Bookmarks > Bookmarks Manager > Organise and select Import Bookmarks.

================================================
 

Please run FRST again and make sure there is a checkmark next to "Addition.txt" before you hit “Scan”.

Logs to include with next post:

New Frst.txt
New Addition.txt


Thanks

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#8 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 June 2016 - 04:23 PM

Thank you for all of your help. I followed the steps and here are the new logfiles. Once again thankyou for all of your help everything is working fine now and I will check back for your reply.

Attached Files



#9 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 25 June 2016 - 05:41 PM

You're welcome for the help.

 

Can you tell me if you have set these Firefox settings:

FF NetworkProxy: "backup.ftp", "67.230.175.155:35526"
FF NetworkProxy: "backup.ftp_port", 35526

I may not answer tonight as it's 20 minutes to midnight here and I have an early start tomorrow but will be in touch as soon as I can.

 

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 25 June 2016 - 05:48 PM

No I did not do anything with firefox



#11 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 25 June 2016 - 05:55 PM

OK thanks.

 

I'll be in touch tomorrow, (GMT).


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#12 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 26 June 2016 - 06:47 AM

P2P - I see you have P2P software, (uTorrent ), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection. It almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
ShellIconOverlayIdentifiers: [DropboxExt1] -> {FB314ED9-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt2] -> {FB314EDA-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt3] -> {FB314EDB-A251-47B7-93E1-CDD82E34AF8B} =>  No File
ShellIconOverlayIdentifiers: [DropboxExt4] -> {FB314EDC-A251-47B7-93E1-CDD82E34AF8B} =>  No File
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-1352237013-1058860411-868824196-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1352237013-1058860411-868824196-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1352237013-1058860411-868824196-1001 -> {012E1000-F331-11DB-8314-0800200C9A66} URL = hxxp://www.google.com/search?q={searchTerms}
SearchScopes: HKU\S-1-5-21-1352237013-1058860411-868824196-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=LENDF8&pc=MALN&src=IE-SearchBox
FF NetworkProxy: "backup.ftp", "67.230.175.155:35526"
FF NetworkProxy: "backup.ftp_port", 35526
FF NetworkProxy: "backup.socks", ""
FF NetworkProxy: "backup.socks_port", 0
FF NetworkProxy: "backup.ssl", "67.230.175.155"
FF NetworkProxy: "backup.ssl_port", 35526
FF NetworkProxy: "ftp", "67.230.175.155"
FF NetworkProxy: "ftp_port", 35526
FF NetworkProxy: "http", "67.230.175.155"
FF NetworkProxy: "http_port", 35526
FF NetworkProxy: "share_proxy_settings", true
FF NetworkProxy: "socks", "67.230.175.155"
FF NetworkProxy: "socks_port", 35526
FF NetworkProxy: "ssl", "67.230.175.155"
FF NetworkProxy: "ssl_port", 35526
FF NetworkProxy: "type", 0
FF Plugin HKU\.DEFAULT: @hola.org/FlashPlayer -> C:\Users\loree lazier\AppData\Local\Hola\firefox_hola\app\flash\NPSWF32_18_0_0_232.dll [No File]
FF Plugin HKU\.DEFAULT: @hola.org/vlc -> C:\Users\loree lazier\AppData\Local\Hola\firefox_hola\app\vlc\npvlc.dll [No File]
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\loree lazier\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-1352237013-1058860411-868824196-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\loree lazier\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll => No File
Task: {000D9892-E55F-4A55-9253-520C066E630A} - \AmiUpdXp -> No File <==== ATTENTION
Task: {27A5A9D2-65B7-4F27-AB6D-7488FD0616DF} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {30687E5E-3E3E-4B1E-9578-7FB0BFDCEA6E} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {3D5FC12D-29E1-4AE0-A0A5-4230AFB20411} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {5514586C-7EEC-490B-B7E9-A408EF411B3E} - System32\Tasks\Isebp => C:\PROGRA~1\ATUPNI~1\Thluf.bat <==== ATTENTION
Task: {59748D68-D371-4DFB-B350-4E962AD6FB33} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {60C6C3AB-AE6E-4242-833F-82EF25B970A5} - \CCleanerSkipUAC -> No File <==== ATTENTION
Task: {D0C33096-B02A-4D74-B3B0-C59D80AF6C9F} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {FD3A6799-1329-4C9B-B745-3890D0102139} - \Microsoft\Windows\Setup\GWXTriggers\Time-3xd -> No File <==== ATTENTION
IE trusted site: HKU\S-1-5-21-1352237013-1058860411-868824196-1001\...\hola.org -> hxxp://hola.org
FirewallRules: [{AD2828AC-D55C-45A2-AFE9-CF9D552C912D}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
FirewallRules: [{39ACCA4F-6BB2-4BE6-AAA1-01DE7A4A1AA5}] => (Allow) C:\Program Files\Hola\app\hola_svc.exe
C:\PROGRA~1\ATUPNI~1\Thluf.bat
C:\Program Files\Hola\app\hola_svc.exe
C:\Program Files\Hola\app\hola_svc.exe
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

===================================================

Let’s run an online scan to be sure nothing is left and if that’s clear I’ll send instructions to tidy up.

Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats

     

  • ESET will then download updates, install itself, and begin scanning your computer, (lease be patient as this can take some time)
  • when the scan completes, push List of found threats
  • when the scan is done, click List threats (only available if ESET Online Scanner found something)
  • click Export, then save the file to your desktop
  • click Back, then Finish to exit ESET Online Scanner.

Don't forget to re-enable your antivirus when finished!

Logs to include with next post:

Fixlog.txt
Eset result


Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 26 June 2016 - 01:13 PM

Hi satchfan, I ran the frst and then the eset but the eset window went to just the banner ad however Task mgr shows activity in the cpu memory and the disk so it must just take forever its still running heres the logfix file anyways as soon as its done I will send you its txt files it did show 2 threats when it was working so I believe i will get a file.

Attached Files



#14 satchfan

satchfan

  • Malware Response Team
  • 2,715 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:07:57 PM

Posted 26 June 2016 - 02:49 PM

You were warned in the instructions that it could take time.

 

It may be tomorrow before I get back as I have family here and they are my priority tonight, (8 45 GMT).

 

Will be in touch as soon as I can. :guitar:


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 Capnsparrow23

Capnsparrow23
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:11:57 AM

Posted 26 June 2016 - 03:37 PM

Just so ya know windows has shut it down twice now it wont run on this machine I will uninstall it and try again. Have fun with your family thats way more important than this stuff is anyways.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users