Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rightcoupon, Popups in Firefox


  • This topic is locked This topic is locked
10 replies to this topic

#1 fusioninfo

fusioninfo

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 15 July 2016 - 09:42 AM

Hello, new windows install here and managed to screw it up yesterday opening up something i shouldn't have.

 

Ok, so malwarebytes says it's clean, adwcleaner finds nothing, and FRST doesn't seem to find much, but anyhow here are the logs. Not so sure what i can do from now, but this is well hidden.

 

Thanks for any help !

Attached Files



BC AdBot (Login to Remove)

 


#2 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 18 July 2016 - 12:07 AM

Hello fusioninfo and welcome to BleepingComputer!     :)

 

My name is Sirawit and I'm here to help you.

 

If I don't reply after 3 days, feel free to PM me.    :)

==========================================================================

Some points for you to keep in mind:

  • Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Do not attach logs or use code boxes, just copy and paste the text.
  • Periodically update me on the condition of your computer, and provide detail in every post.
  • In the upper right-hand corner of the topic, you will see the Followtopic.jpg button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 3 days I will bump the topic, if you didn't reply in next 3 days we assume it has been abandoned and I will close it.
  • Once things seem to be working again, please do not abandon the thread. I will give an "all-clean" message at the very end with some additional information on how to stay malware-free.
  • Lastly, I would like to remind you that most members here are volunteers, and sometimes "real life" can get in the way of our malware hunt. I will notify you if I know I will need to be away for longer than 48 hours.

==========================================================================

 

I'm currently reviewing your log and will reply back to the topic as soon as possible.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#3 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 18 July 2016 - 12:47 PM

Hi fusioninfo.

 

OK, first I need to clarify something to you:

------------------

 

Going over your logs I noticed that you have Vuze installed.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Vuze, however that choice is up to you. If you choose to remove these programs, you can do so viaStart > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

--------------

 

Going over your logs, I saw that you have no firewall running. Please follow the instructions here to enable Windows firewall:

http://www.computerhope.com/issues/ch000551.htm

 

--------------

Now, please answer these questions for me:

 

Did this happen on your other devices or other browsers as well? Or just on Firefox on this machine?

 

Did you use these programs?

 

  • Cyber-D's DriveHide 1.02
  • Host Service
  • HPStocker
  • iTools 3
  • JDownloader 2
  • SABnzbd 1.0.3

 

---------------

 

By the way, since I couldn't understand French. Please rename FRST.exe to FRSTenglish.exe. Basically adding the word 'english' in the filename so the log will be in English instead.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#4 fusioninfo

fusioninfo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 19 July 2016 - 07:17 AM

Hi there. Thanks for the feedback.

 

Just firefox on this machine. It seems my machine is also used to spam, i get some out of office replies in my inbox from emails i never sent anything to.

 

Did you use these programs?

 

  • Cyber-D's DriveHide 1.02 YES
  • Host Service NO !
  • HPStocker NO !
  • iTools 3 YES
  • JDownloader 2 YES
  • SABnzbd 1.0.3 YES

Here is the english locale logs attached. Thanks !

 

Attached Files



#5 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 19 July 2016 - 12:40 PM

Hi fusioninfo.

 

OK. Please follow the instructions below:

 

We need to remove some programs with Revo Uninstaller Free:

Note: Revo Uninstaller is more thorough in deleting programs on your computer than using the Add/Remove option in Windows. Since it is a more powerful tool, please be sure to follow the instructions carefully.
Note: If the program you want to uninstall is not listed by Revo, let me know and we will try an alternate method of removal.

  • Please download and install Revo Uninstaller Free
    note: there is no need to click anything on that page, the download will start automatically
  • Double click Revo Uninstaller to run it
  • From the list of programs double click on the listed program(s), or anything similar, to remove it:
    Host Service
    HPStocker
  • When prompted if you want to uninstall click Yes
  • Be sure the Moderate option is selected then click Next
  • The program will run, If prompted again click Yes
  • When the built-in uninstaller is finished click on Next
  • Once the program has searched for leftovers click Next
  • Check the items in bold only on the list then click Delete
    note: you may have to expand some folders by clicking the "+" mark
  • When prompted click on Yes and then on Next
  • Put a check on any folders that are found and select Delete
  • When prompted select Yes then Next
  • Once done click Finish

===========================================================================

 

After the above step has been completed, please create new FRST log files for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#6 fusioninfo

fusioninfo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 19 July 2016 - 12:47 PM

Hi there ! Here are the new logs, thanks :)

Attached Files



#7 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 20 July 2016 - 11:58 AM

Hi fusioninfo.

 

We need to run a fix with FRST:

  • Please download the attached fixlist.txt file and save it to the same location as FRST
    Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
    Attached File  fixlist.txt   202bytes   4 downloads
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply

==========

 

How's your computer running now? Did Rightcoupon still appear?

 

Also, please create new FRST log files for me.

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#8 fusioninfo

fusioninfo
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 20 July 2016 - 03:56 PM

Hi there. No popus, seems everything is gone now. However, it looks like this stinky 'Host Service' was sending out emails from windows directly, using my google apps account. I changed the password, and i don't get any bounces in spam anymore (meaning it stopped sending..)

 

Here's the logs, Thanks for your help. These applications were not listed in add-remove programs but appeared in revo. They do something to hide theirselves from there ?

Attached Files



#9 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 22 July 2016 - 09:09 AM

Hi fusioninfo.

 

I think I have some points to tell you:

  • Please don't make any changes to your system during our cleanup. This only makes me more frustrated at your log files and it's also very confusing at trying to figure out the current state of your system.
  • Also, please move your FRSTenglish64.exe to your desktop. The fix with FRST won't work if you didn't place the fixlist file within the same directory as the executable.

 

---------------

 

Now, please do the following:

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#10 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 26 July 2016 - 12:29 PM

Are you still there?

 

Thank you.


If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.


#11 Sirawit

Sirawit

    Bleepin' Brony


  • Malware Response Team
  • 4,158 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Thailand
  • Local time:10:39 AM

Posted 30 July 2016 - 11:43 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

If I don't reply back to you in 2 days, feel free to send me a PM.

 

“You’re lying… just like you were lying to me before. You have to hate me. I’ve been the worst daughter in the world… you should hate me.”

“But I don’t, Nyx. Because, Nyx, I’m your mother, and a mother will always love her daughter, no matter what.” -Past sins by Pen stroke.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users