Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Having trouble removing Searchscopes


  • Please log in to reply
2 replies to this topic

#1 TheKhanChakra

TheKhanChakra

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 17 August 2016 - 10:52 PM

Hello,
 
I am trying to remove Searchscopes from my pc.
Everytime i click quarantine in MBAM it restarts my computer before i can "delete all".
I have found it in my registry but cannot modify or delete in safe mode. 
I ran Adwcleaner and it found 55 threats I attempted to remove in safe mode and I thought i had it deleted but when i ran MBAM it reinstalled before i could click "delete all" once again.
 
It is hiding in the internet explorer registry but i cannot modify or delete it.
 
I noticed this problem when i tried to open my PC in admin mode and experienced a black screen with just a cursor I was able to open up task mgr but i couldnt restart explorer i tried multiple times and restarting my pc but to no avail. After all of that I scanned with MBAM and thats when I first encountered the PUP.
 
 
Thanks

Edit: Moved topic from Windows 7 to the more appropriate forum. ~ Animal

Edit:I added some MBAM logs and JRT logs and Adwcleaner logs and TDSS killer logs

Edit edit: TDSS logs were too large so I'm only posting them if I'm asked for them

 

 

Thank You Animal


Edited by TheKhanChakra, 17 August 2016 - 11:47 PM.


BC AdBot (Login to Remove)

 


#2 TheKhanChakra

TheKhanChakra
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 17 August 2016 - 11:34 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 7 Professional x64 
Ran by Darren-Admin (Administrator) on Wed 08/17/2016 at 21:16:25.18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 26 
 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\nico mak computing (Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13GSWTDO (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\28F3IUSJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EIIMMT4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8XMR4U5B (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I42NHKR5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8AL5EV (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QUX5DPKN (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Darren-Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V4KYT85P (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\13GSWTDO (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\28F3IUSJ (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5EIIMMT4 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8XMR4U5B (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I42NHKR5 (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MK8AL5EV (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QUX5DPKN (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\V4KYT85P (Temporary Internet Files Folder) 
 
Deleted the following from C:\Users\Darren-Admin\AppData\Roaming\Mozilla\Firefox\Profiles\a9z00u6z.default\prefs.js
user_pref(extensions.fNbJ2eaoCGxNHoRr.scode, (function(){try{if(window.location.href.indexOf(\qHk5qTa5rTrGrHCGrjU6pdn7pn\)>-1){return;}}catch(e){}try{var d=[[\www.ebay.c
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GoogleChromeAutoLaunch_F41095423F338E14531A0AB5D9871641 (Registry Value) 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 08/17/2016 at 21:17:59.39
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
 
 
 
Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 8/17/2016
Scan Time: 8:04 PM
Logfile: MBAM Logs THAT duplicate.txt
Administrator: No
 
Version: 2.2.1.1043
Malware Database: v2016.08.17.14
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Darren
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 228736
Time Elapsed: 2 min, 20 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.Speedial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}, Delete-on-Reboot, [b57d05478614b48209c8d9d1c73df50b], 
 
Registry Values: 1
PUP.Optional.Speedial, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}|TopResultURLFallback, http://speedial.com/results.php?f=4&q={searchTerms}&a=spd_dsites03_14_24_ff&cd=2XzuyEtN2Y1L1Qzu0DyE0B0E0DzytC0CyD0EzztB0DyEtB0BtN0D0Tzu0SzzzyyEtN1L2XzutBtFtBtCtFyEtFtDtN1L1CzutCyEtBzytDyD1V1StN1L1G1B1V1N2Y1L1Qzu2StB0B0D0ByDyD0F0CtGtCyBtD0EtGtDyDyCtDtGyEyBzyyBtGtDtByEyD0A0A0F0AyE0E0B0B2QtN1M1F1B2Z1V1N2Y1L1Qzu2SyBtDzytDtB0CzzyDtGtA0B0E0BtGtBtA0DyCtG0D0CtAyEtGtByCzy0D0B0FyBtAyCyC0Dzz2Q&cr=560957090&ir=, Delete-on-Reboot, [b57d05478614b48209c8d9d1c73df50b]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)
 
 
 

Edited by TheKhanChakra, 17 August 2016 - 11:43 PM.


#3 TheKhanChakra

TheKhanChakra
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 17 August 2016 - 11:45 PM

# AdwCleaner v6.000 - Logfile created 17/08/2016 at 20:17:42
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-08-17.2 [Server]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : Darren-Admin - DARREN-PC
# Running from : C:\Users\Darren\Downloads\adwcleaner_6.000.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Darren-Admin\AppData\Roaming\IHlpr
[-] Folder deleted: C:\Users\Darren\AppData\Local\AVG SafeGuard toolbar
[-] Folder deleted: C:\Users\Darren-Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bakijjialdiiboeaknfpmflphhmljfkd
[-] Folder deleted: C:\Users\Darren-Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
[-] Folder deleted: C:\Users\Darren\AppData\Local\Google\Chrome\User Data\Default\Extensions\ndibdjnfmopecpmkdieinmbadjfpblof
[-] Folder deleted: C:\Users\Darren-Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gjjofdeodiofmmdlnbgpeekgefglmkfj
 
 
***** [ Files ] *****
 
[-] File deleted: C:\Users\Darren-Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_gjjofdeodiofmmdlnbgpeekgefglmkfj_0.localstorage
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKCU\Software\Classes\CLSID\{BEBBC426-4F16-4567-8FE1-BE198C982027}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{A07E5BFF-B16C-4ABA-A30F-514213A945E6}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKU\S-1-5-21-2093706144-3949437724-3400803560-1000\Software\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer Packages
[#] Key deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Image Resizer Packages
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8036C72171EF4ba46856BF57969F6A36
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\89BB7852687BDC34B9A81E01C7FF9173
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\89EA4F1B8FBCDEF47AE328E455E28AA0
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CBC85D72B148084ABE8C2F072F781F4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CC5A38A64D6098468BC8395BA0EFF03
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8DF9A1AC557F56c49B56F6B83E293C15
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\97ECFF59EE08D4F47BB1464DEC37DA87
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A8CB937199A57E748B6AC433DA453EE2
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A97C590397DCC454AA8923563BAB10E4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B08932C78B697C244BE7BA3E6FF09B62
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B4E78E12704AFCE408C7FBE501F1AA0A
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6A54B56C58C82a4688AFB93F42EA17B
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CFA51B44D54927c4E9B7BC1D3FD1E49F
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D14A7F65792054F418578C78367D13F7
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DFE9F0BD163D827438CB6AD6B100EC48
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F0390A76D28822743A68D7F1AB22E6D0
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F739A19A8327dc64C9A8B641A9E89646
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0A5AC497E6BBC8D45BE8AD6619DA8217
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\158D6D9E3FE81fa428925F22ACB3A965
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\15E6C514FEFC09f45BAFAAE1D7546ED4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DB42320A8525634AA089F0BEC86473B
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22468B0D6050b2e46B9C4B67A8F59577
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2251BF05A2F606d43BB064BD63CBD87E
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3255D95681398614190EDF0A4F3F77DB
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CDF313E9B28c944FBC7579CF4949414
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\71E54748EDD3dc1468548785DC856EDA
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\754590DD06DE8d249B526503432F99D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D2A425F405350054677A7A857BC07100
[-] Key deleted: [x64] HKLM\SOFTWARE\Classes\Installer\Products\D2A425F405350054677A7A857BC07100
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\D2A425F405350054677A7A857BC07100
[#] Key deleted on reboot: HKLM\SOFTWARE\Classes\Installer\Products\D2A425F405350054677A7A857BC07100
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: HKU\S-1-5-21-2093706144-3949437724-3400803560-1003\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
 
 
***** [ Web browsers ] *****
 
[-] [ask.com] [Search Provider] Deleted: ask.com
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [C:\Users\Darren-Admin\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ndibdjnfmopecpmkdieinmbadjfpblof
[-] [ask.com] [Search Provider] Deleted: ask.com
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [C:\Users\Darren\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ndibdjnfmopecpmkdieinmbadjfpblof
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
\AdwCleaner\AdwCleaner[C0].txt - [7425 Bytes] - [17/08/2016 20:17:42]
\AdwCleaner\AdwCleaner[R0].txt - [11209 Bytes] - [21/01/2015 07:39:21]
\AdwCleaner\AdwCleaner[S0].txt - [11399 Bytes] - [21/01/2015 07:40:19]
\AdwCleaner\AdwCleaner[S1].txt - [7934 Bytes] - [17/08/2016 20:17:13]
 
########## EOF - \AdwCleaner\AdwCleaner[C0].txt - [7711 Bytes] ##########
 
I can still see the program sitting in my registry

Edited by TheKhanChakra, 18 August 2016 - 12:07 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users