Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Info on Stack Player Adware/Malware


  • Please log in to reply
18 replies to this topic

#1 rookierook

rookierook

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 24 October 2016 - 09:47 PM

My friend's computer called me and needed help saying that there were pop ups whenever he opens a program, even if it's not a browser. I looked it up and noticed a program called Stack Player. I've disabled it on the system tray, but am unable to uninstall it as it claims the installation file is not found.
 
After searching around on Google, I learned some info that it's an adware/malware. But I decided to ask here for advise on its removal, if possible.
 
I've posted the FRST log below. I fail to find the Attachment button, so I'll put it up on Google Drive.

https://drive.google.com/file/d/0B26yWeynXuFGTi1JQ3otOU91WHc/view?usp=sharing

 

Please take your time on this. I will be looking forward to hear your opinions.



BC AdBot (Login to Remove)

 


#2 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 25 October 2016 - 06:00 AM

Hello rookierook.  We are not permitted, by Forum policy, to request or analyze FRST logs or the logs producted by other sophisticated anti-malware utilities, such as OTL, Zoek, etc., in this Forum.

 

If your friend suspects his/her computer might be seriously infected, please follow the instructions on this link, and have him post in the Virus, Trojan, Spyware, and Malware Removal Logs Forum.

 
According to this link, running AdwCleaner should remove the remnants of this adware.  Just follow the instructions in Step 2 of the various removal options listed on the link.

After rebooting your computer, following selecting "Clean", a logfile report (AdwCleaner[S#].txt) will open automatically (where the largest value of # represents the most recent report).

Please copy and paste the contents of that logfile into your next reply.

A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Thank you and have a great day.

Regards,
-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#3 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 25 October 2016 - 08:54 PM

Quick Question. Do I need to just do Step 2 of the link mentioned, or must I do all the steps, which includes installing additional software like Revo Uninstaller and Hitman Pro?



#4 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 26 October 2016 - 05:33 AM

rookierook:

 

You just need to follow step 2.  It is the simplest approach.  The others are alternate approaches.  Pick one and follow the instructions.  If it was my computer, I would use AdwCleaner, if I didn't already have Malwarebytes Anti-Malware Premium, which would have blocked the adware before it could even install.

 

Please try AdwCleaner and copy and paste the contents of the log into your next reply.

 

Thank you and have a great day

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#5 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 27 October 2016 - 07:26 PM

Here is the ADWCleaner Log:

 

# AdwCleaner v6.030 - Logfile created 27/10/2016 at 20:11:52
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-10-27.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Bill - BILL-PC
# Running from : C:\Users\Bill\Desktop\adwcleaner_6.030.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support



***** [ Services ] *****

[-] Service deleted: rtop
[-] Service deleted: AppApcVerifier


***** [ Folders ] *****

[-] Folder deleted: C:\Users\Bill\AppData\Local\YSearchUtil
[-] Folder deleted: C:\Users\Bill\AppData\Local\StackPlayer
[-] Folder deleted: C:\Program Files\ByteFence
[-] Folder deleted: C:\ProgramData\ByteFence
[-] Folder deleted: C:\ProgramData\App-verifier
[-] Folder deleted: C:\ProgramData\AppApcVerifier
[#] Folder deleted on reboot: C:\ProgramData\Application Data\ByteFence
[#] Folder deleted on reboot: C:\ProgramData\Application Data\App-verifier
[#] Folder deleted on reboot: C:\ProgramData\Application Data\AppApcVerifier
[-] Folder deleted: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Stack Player
[-] Folder deleted: C:\Program Files (x86)\Yahoo!\yset
[-] Folder deleted: C:\Program Files (x86)\StackPlayer
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\SearchProtect
[-] Folder deleted: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\YSearchUtil


***** [ Files ] *****

[-] File deleted: C:\Program Files\Common Files\System\SysMenu.dll
[-] File deleted: C:\Program Files\Common Files\System\SysMenu64.dll
[-] File deleted: C:\Windows\SysNative\LavasoftTcpService64.dll
[-] File deleted: C:\appverifier.txt
[-] File deleted: C:\Windows\SysWOW64\lavasofttcpservice.dll
[-] File deleted: C:\Users\Bill\AppData\Roaming\Mozilla\Firefox\Profiles\j1swmzfi.default\searchplugins\Search Provided by Bing.xml


***** [ DLL ] *****



***** [ WMI ] *****



***** [ Shortcuts ] *****



***** [ Scheduled Tasks ] *****



***** [ Registry ] *****

[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\AppApcVerifier
[#] Key deleted on reboot: [x64] HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Application\AppApcVerifier
[-] Key deleted: HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
[-] Key deleted: HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[-] Key deleted: HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AniGIFPpg.AniGIFPpg
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\AniGIFPpg2.AniGIFPpg2
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.Protector.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\protector_dll.ProtectorLib.1
[-] Key deleted: HKCU\Software\Classes\CLSID\{BEBBC426-4F16-4567-8FE1-BE198C982027}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{1112F282-7099-4624-A439-DB29D6551552}
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B2BC04DF-EFBD-409A-95CA-36874E5AB92A}
[-] Key deleted: HKU\.DEFAULT\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-19\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-20\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[-] Key deleted: HKU\S-1-5-21-2338679992-769482841-1456108927-1000\Software\ByteFence
[-] Key deleted: HKU\S-1-5-21-2338679992-769482841-1456108927-1000\Software\StackPlayer
[#] Key deleted on reboot: HKU\S-1-5-21-2338679992-769482841-1456108927-1001\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[#] Key deleted on reboot: HKU\S-1-5-18\Software\AppDataLow\{5F189DF5-2D05-472B-9091-84D9848AE48B}
[#] Key deleted on reboot: HKCU\Software\ByteFence
[#] Key deleted on reboot: HKCU\Software\StackPlayer
[-] Key deleted: HKLM\SOFTWARE\ByteFence
[-] Key deleted: HKLM\SOFTWARE\Lavasoft\Web Companion
[-] Key deleted: HKLM\SOFTWARE\StackPlayer
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ByteFence
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D}
[#] Key deleted on reboot: [x64] HKCU\Software\ByteFence
[#] Key deleted on reboot: [x64] HKCU\Software\StackPlayer
[-] Key deleted: [x64] HKLM\SOFTWARE\ByteFence
[-] Key deleted: [x64] HKLM\SOFTWARE\AppApcVerifier
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\4E30E037E0535E84D9E3349209D354D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4
[-] Value deleted: HKU\S-1-5-21-2338679992-769482841-1456108927-1000\Software\Microsoft\Windows\CurrentVersion\Run [Stack Player]
[#] Value deleted on reboot: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Stack Player]
[-] Value deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Stack Player]
[#] Value deleted on reboot: [x64] HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Stack Player]
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\avgsh
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{0C95ABFE-4FB6-49DB-B22F-0E1F5FC4BEEC}
[-] Key deleted: HKLM\SYSTEM\CurrentControlSet\Control\Class\{EEEFACB3-729F-4484-B66D-E7A7917BBFC1}


***** [ Web browsers ] *****

[-] Chrome preferences cleaned: "browser.search.defaultenginename" -  "Yahoo! Powered"
[-] Chrome preferences cleaned: "browser.search.selectedEngine" -  "Yahoo! Powered"
[-] [C:\Users\Bill\AppData\Local\Chromium\User Data\Default\Web data] [Search Provider] Deleted: yahoo! powered
[-] [C:\Users\Bill\AppData\Local\Chromium\User Data\Default] [startup_urls] Deleted: hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_gmmedply_16_42&param1=1&param2=f%3D7%26b%3Dchmm%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyD0A0A0CtCyC0AyBzz0B0FtN0D0Tzu0StCyByDtCtN1L2XzutAtFtByEtFtByCtFyDtAtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0B0EtC0E0FyBzytGtDzz0AyDtGtC0EyCzytGtDyDyDzztGyB0CyCyEyEtBtDtBtA0F0FyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CtCyCtA0AzzyByCtG0B0Fzz0AtGyE0E0C0EtG0B0ByB0EtGtBtB0B0AtB0B0BtAzyzy0D0D2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtDyEzyzz%26cr%3D438064482%26a%3Dwbf_gmmedply_16_42%26os_ver%3D6.1%26os%3DWindows%2B7%2BHome%2BPremium
[-] [C:\Users\Bill\AppData\Local\Chromium\User Data\Default] [homepage] Deleted: hxxps://us.search.yahoo.com/yhs/web?hspart=iry&hsimp=yhs-fullyhosted_003&type=wbf_gmmedply_16_42&param1=1&param2=f%3D1%26b%3Dchmm%26cc%3Dus%26pa%3Dwincy%26cd%3D2XzuyEtN2Y1L1QzutC0CyC0FyCyD0A0A0CtCyC0AyBzz0B0FtN0D0Tzu0StCyByDtCtN1L2XzutAtFtByEtFtByCtFyDtAtN1L1Czu1StN1L1G1B1V1N2Y1L1Qzu2SyD0B0EtC0E0FyBzytGtDzz0AyDtGtC0EyCzytGtDyDyDzztGyB0CyCyEyEtBtDtBtA0F0FyC2QtN1M1F1B2Z1V1N2Y1L1Qzu2S0CtCyCtA0AzzyByCtG0B0Fzz0AtGyE0E0C0EtG0B0ByB0EtGtBtB0B0AtB0B0BtAzyzy0D0D2QtN0A0LzutBtN1B2Z1V1T1S1NzutCtDyEzyzz%26cr%3D438064482%26a%3Dwbf_gmmedply_16_42%26os_ver%3D6.1%26os%3DWindows%2B7%2BHome%2BPremium
[-] [C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Bill\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: pilplloabdedfmialnfchjomjmpjcoej


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [8550 Bytes] - [27/10/2016 20:11:52]
C:\AdwCleaner\AdwCleaner[R0].txt - [10382 Bytes] - [26/03/2015 20:13:36]
C:\AdwCleaner\AdwCleaner[S0].txt - [9668 Bytes] - [26/03/2015 20:15:08]
C:\AdwCleaner\AdwCleaner[S1].txt - [7588 Bytes] - [27/10/2016 20:10:06]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [8843 Bytes] ##########
 



#6 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 28 October 2016 - 08:14 AM

rookierook:

 

Thanks for your log.  It looks like AdwCleaner removed Stack Player and some other Potentially Unwanted Programs (PUPs).

 

How is your computer working now?

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#7 Will5200

Will5200

  • Members
  • 141 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States
  • Local time:06:25 PM

Posted 28 October 2016 - 12:51 PM

I just successful cleaned this up Stackplayer on one of our employee machines from a Sophos Enterprise Console. Just thought I'd throw this in. Surprised me! Cheers.



#8 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 30 October 2016 - 12:32 PM

Sorry for the delay as I've been busy. I will get in touch with my friend ASAP to see if he's still having problems.



#9 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 30 October 2016 - 01:32 PM

I have gotten in touch with him and says that the Stack Player doesn't pop up anymore. However, it is still listed on his program list and is unable to uninstall it. Here's the screenshot.

 

A8_C850_B01270_BB36_E54_F603473_F4673678



#10 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 31 October 2016 - 12:42 PM

rookierook:

 

Sorry for the delay in responding.  It would appear that AdwCleaner removed the program, but left a registry listing.

 

Please check out this link to remove StackPlayer from the list of his installed programs.  Before launching Regedit, please download and run Registry Backup so that if something goes south, you can restore the registry.  Do not use the "Fallback" method; the full VSS Registry backup is the complete and preferred method.

 

I hope this helps.  Have a great day.  Let me know how your friend makes out.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#11 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 02 November 2016 - 07:06 PM

thank you. i haven't got in touch with him, so as soon as i am able, i will let you know how it turn out



#12 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 19 November 2016 - 04:43 PM

I apologize again for not being able to respond for nearly 3 weeks. I was able to get in touch and here's what happened.

 

- When we try to access RedEdit and find the key for Stack Player, it does not exist within the Uninstall folder.

- Upon viewing the list of programs in Windows, Stack Player is still listed.

- Stack Player is also listed on CCleaner. When we try to simply delete the entry, we get the error saying "Cannot Open MSI Installer".

 

As far as the program itself, it's no longer popping up. If this thread is still active, any additional advice is grateful.



#13 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 20 November 2016 - 07:34 AM

rookierook:
 
There are many places for programs to hide in the registry.  CCleaner can't remove Stack Player because AdwCleaner deleted its folders and the registry keys that it could find, so it is well and truly dead, BUT, you can still see it listed, so AdwCleaner did not do a complete clean up.
 
We have a number of options open to us.  I think the first step is to find out if Stack Player still exists anywhere in the registry.
 
:step1: Please download MiniRegTool64.zip and unzip it.

  • Run the tool.
  • Copy and paste the following into the edit box:

Stack Player
StackPlayer

  • Check the Search radio button.
  • Press Go button.
  • Please copy and paste the log (Result.txt) into your next reply.

 

I strongly recommend that you do not attempt to edit the registry yourself, unless you are very knowledgeable about registry editing.  I will write a registry script to take out any offending registry keys/values that might be found.

 

If you do try to edit the registry, please download and run the Tweaking.com Registry Backup Utility from here, and then run it.  Do not use the "Fallback" method and do ensure that you have either a Windows installation disk or Windows System Repair disk in case something goes wrong.  Editing the registry is inherently dangerous.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators


#14 rookierook

rookierook
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:25 PM

Posted 26 November 2016 - 10:23 PM

Hello again. It appears it doesn't seem to find anything. Here's the result in full:

 

MiniRegTool by Farbar Version:21-07-2014
Ran by Bill (administrator) on 2016-11-26 at 20:45:06

==========================================
Search Result For: "stackplayer;stack player"


==== End of Search ====

 



#15 garioch7

garioch7

    RCMP Veteran


  • Malware Response Instructor
  • 3,623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Port Hood, Nova Scotia, Canada
  • Local time:08:25 PM

Posted 27 November 2016 - 06:48 AM

rookierook:

 

Thank you for your update.  The MiniRegTool utility only searches the HKEY_LOCAL_MACHINE and the HKEY_CURRENT_USER registry hives, so our "friend" must be hiding elsewhere in the registry.

 

Please first launch CCleaner again, and from the List of Installed Programs, shown in CCleaner, highlight Stack Player in that list, and instead of clicking "Uninstall", click "Delete".  Exit CCleaner and reboot your computer.  Does Stack Player still show in the either of the CCleaner or Windows Control Panel list of installed programs?  If not, you are finished and all is well - CCleaner wiped out the remaining registry subkeys.

 

If Stack Player is still showing, check out this link for information on how to search your entire registry.  Please BACK UP the registry first, preferably by using Tweaking.com's free Registry Backup program, available for download from this link.  Don't use the "Fallback" method.

 

If you are not comfortable searching the entire registry, then please let me know, and I will be happy to prepare an SWReg script for you to search the entire registry.  Once we have found the StackPlayer entries, I will create another SWReg script to delete any found Stack Player registry subkeys once and for all.

 

Have a great day.

 

Regards,

-Phil


Member of the Unified Network of Instructors and Trusted Eliminators





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users