Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I can't get rid of this virus/adware/key that keeps coming back aol.com ask.com


  • This topic is locked This topic is locked
9 replies to this topic

#1 flashfoxx

flashfoxx

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 10 February 2017 - 01:01 AM

Hi for the past days I have been experiencing very bad viruses/adware and slow speed on my computer. When I start Google Chrome and type in the google search engine a toolbar at the top named "Secure Search" appears (like if it were from AVG or some other program. I do not have AVG. I have tried everything to get rid of this bar, including adwarecleaner and resetting/reinstalling google chrome. It just keeps coming back. If I click a page, sometimes it opens a new tab and the original tab redirects itself to a random unreachable and suspicious site. 

 

No matter what I do on adwarecleaner the same adware just keeps coming back: aol.com ask.com on Chrome. HKLM\software\Microsoft\...

 

Here is the log from adwarecleaner

 

# AdwCleaner v6.043 - Logfile created 09/02/2017 at 21:48:12

# Updated on 27/01/2017 by Malwarebytes
# Database : 2017-02-09.1 [Local]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : DeejayRush - WHITE-KATANA
# Running from : C:\Users\DeejayRush\Downloads\adwcleaner_6.043.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\DeejayRush\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\DeejayRush\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [26490 Bytes] - [08/02/2017 16:19:59]
C:\AdwCleaner\AdwCleaner[C2].txt - [2026 Bytes] - [08/02/2017 16:32:41]
C:\AdwCleaner\AdwCleaner[C3].txt - [1679 Bytes] - [08/02/2017 17:08:28]
C:\AdwCleaner\AdwCleaner[C4].txt - [1638 Bytes] - [08/02/2017 21:09:27]
C:\AdwCleaner\AdwCleaner[C5].txt - [1785 Bytes] - [08/02/2017 23:26:58]
C:\AdwCleaner\AdwCleaner[C6].txt - [2164 Bytes] - [09/02/2017 18:29:24]
C:\AdwCleaner\AdwCleaner[C7].txt - [6855 Bytes] - [09/02/2017 20:12:17]
C:\AdwCleaner\AdwCleaner[C8].txt - [1646 Bytes] - [09/02/2017 21:48:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [24281 Bytes] - [08/02/2017 16:12:37]
C:\AdwCleaner\AdwCleaner[S1].txt - [2080 Bytes] - [08/02/2017 16:32:23]
C:\AdwCleaner\AdwCleaner[S2].txt - [1703 Bytes] - [08/02/2017 17:00:01]
C:\AdwCleaner\AdwCleaner[S3].txt - [1618 Bytes] - [08/02/2017 17:16:01]
C:\AdwCleaner\AdwCleaner[S4].txt - [1762 Bytes] - [08/02/2017 21:07:14]
C:\AdwCleaner\AdwCleaner[S5].txt - [1909 Bytes] - [08/02/2017 23:26:41]
C:\AdwCleaner\AdwCleaner[S6].txt - [2220 Bytes] - [09/02/2017 18:28:16]
C:\AdwCleaner\AdwCleaner[S7].txt - [6744 Bytes] - [09/02/2017 20:08:16]
C:\AdwCleaner\AdwCleaner[S8].txt - [2512 Bytes] - [09/02/2017 21:46:21]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C8].txt - [2377 Bytes] ##########
 


BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:56 AM

Posted 10 February 2017 - 03:50 AM

Hello flashfoxx and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Run AVG removal tool

From the AdwCleaner log it appears that there are some remnants of AVG on your computer so please download AVG Removal Tool from here.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.


  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

===================================================

Run Security Check

Download Security Check by screen317 from here.

  • save it to your Desktop.
  • double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • a Notepad document should open automatically called checkup.txt; please post the contents of that document.

NOTE: If you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED!, try rebooting the system and then run SecurityCheck again.

Logs to include with next post:

Frst.txt
Addition.txt
checkup.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 flashfoxx

flashfoxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 10 February 2017 - 12:38 PM

Hello satchfan, I have followed your steps but the link to the last step is not working so I couldn't get 'Security Check' 

 

But here is FRST.txt and Addition.txt

 

 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:56 AM

Posted 10 February 2017 - 05:37 PM

Apologies for the bad link: please use this one for SecurityCheck and post the result.

 

It's late here and so will check your logs and reply in the morning, (GMT).

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 flashfoxx

flashfoxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 10 February 2017 - 07:03 PM

Ok, got the program to download. Here is the checkup file.

Attached Files



#6 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:56 AM

Posted 11 February 2017 - 10:20 AM

P2P - I see you have P2P software, ( BitTorrent, uTorrent and FrostWire), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall them now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep them, please don’t use them until we have finished up here.

================================================

You need to move Farbar Recovery Scan Tool to your desktop otherwise fixes will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

================================================

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

CloseProcesses:
AppInit_DLLs-x32: C:/PROGRA~3/{1C1FF~1/171~1.0/leno.dll => No File
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
SearchScopes: HKLM -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
SearchScopes: HKLM-x32 -> DefaultScope {94ED4422-07F3-492F-86C0-F58E83CBB77A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=SNYVDF&pc=MASA&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> {3BD44F0E-0596-4008-AEE0-45D47E3A8F0E} URL = hxxp://www.google.com/search?ie=utf-8&oe=utf-8&rlz=1V4IPYX&q={searchTerms}
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> {9B970043-02DF-435F-92CA-68FF5B82C24E} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> {9B97950D-482C-1D79-568F-FC7B9D40C785} URL = hxxp://www.bing.com/search?q={searchTerms}&pc=Z192&form=ZGAIDF&install_date=20110929&iesrc={referrer:source}
SearchScopes: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> {DC91FAFB-6CEA-49E5-BB74-9CEE75D09B77} URL =
BHO: No Name -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> No File
BHO: No Name -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> No File
BHO-x32: No Name -> {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} -> No File
Toolbar: HKU\.DEFAULT -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -  No File
Toolbar: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} -  No File
Toolbar: HKU\S-1-5-21-292364291-2706459263-1359030334-1005 -> No Name - {472734EA-242A-422B-ADF8-83D1E48CC825} -  No File
Handler: WSISVCUchrome - No CLSID Value
FF HKLM-x32\...\Firefox\Extensions: [{F53C93F1-07D5-430c-86D4-C9531B27DFAF}] - C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack => not found
S3 BRDriver64_1_3_3_E02B25FC; \??\C:\ProgramData\BitRaider\support\1.3.3\E02B25FC\BRDriver64.sys [X]
S3 btwaudio; system32\drivers\btwaudio.sys [X]
S3 btwavdt; system32\drivers\btwavdt.sys [X]
S3 btwl2cap; system32\DRIVERS\btwl2cap.sys [X]
S3 btwrchid; system32\DRIVERS\btwrchid.sys [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
S3 DrvAgent64; \??\C:\Windows\SysWOW64\Drivers\DrvAgent64.SYS [X]
S2 MBAMChameleon; \SystemRoot\system32\drivers\MBAMChameleon.sys [X]
U2 MSSQL$DDNI; no ImagePath
2017-02-10 09:17 - 2017-02-10 09:30 - 00000000 ____D C:\AVG_Remover
2017-02-10 09:14 - 2017-02-10 09:14 - 08111408 _____ ( ) C:\Users\DeejayRush\Downloads\AVG_Remover.exe
2017-02-09 19:46 - 2017-02-09 19:46 - 03449296 _____ (AVG Technologies CZ, s.r.o.) C:\Users\DeejayRush\Downloads\Antivirus_Free_1892.exe
2017-02-10 09:23 - 2015-07-13 12:09 - 00000000 ____D C:\ProgramData\AVG
2017-02-10 09:23 - 2014-11-06 15:23 - 00000911 _____ C:\Windows\Tasks\EPSON XP-410 Series Update {41E29E34-776C-4B9A-8F7C-2132D4D7681A}.job
2017-02-10 09:23 - 2014-11-06 15:23 - 00000725 _____ C:\Windows\Tasks\EPSON XP-410 Series Invitation {41E29E34-776C-4B9A-8F7C-2132D4D7681A}.job
2017-02-09 19:48 - 2015-07-13 12:10 - 00000000 ____D C:\Users\DeejayRush\AppData\Local\Avg
C:\Users\DeejayRush\AppData\Roaming\winscp.rnd
C:\Users\DeejayRush\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
C:\Users\DeejayRush\AppData\Local\Resmon.ResmonCfg
C:\Users\DeejayRush\AppData\Local\{63DC9FC7-D45F-4A26-982E-BB7059BB3030}
C:\ProgramData\109adf4f
C:\Users\DeejayRush\AppData\Local\Temp\BRSVC_142413_hlp.exe
C:\Users\DeejayRush\AppData\Local\Temp\ose00000.exe
C:\Users\DeejayRush\AppData\Local\Temp\R2RTOOL.dll
AlternateDataStreams: C:\ProgramData\PACE:712239B11AA41B1A [217]
AlternateDataStreams: C:\ProgramData\TEMP:373E1720 [118]
AlternateDataStreams: C:\ProgramData\TEMP:430C6D84 [256]
AlternateDataStreams: C:\ProgramData\TEMP:DFC5A2B2 [220]
FirewallRules: [{1A13F4EA-0D9B-4C47-AC84-00B2B58FA0DB}] => c:\windows\syswow64\mfc42u32.exe
FirewallRules: [{4793DBFC-49B7-4A28-A158-CC90468EC30C}] => c:\windows\syswow64\mfc42u32.exe
FirewallRules: [{E81EBCE9-140B-4295-B875-15A29E6C0672}] => c:\windows\syswow64\mfc42u32.exe
FirewallRules: [{D3D8BDF7-B798-4712-B19D-657A8718A1CA}] => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe
FirewallRules: [{6EB55F0D-2739-433A-B5C8-3A7E80B8642E}] => C:\Program Files (x86)\Windows iLivid Toolbar\Datamngr\ToolBar\dtUser.exe
FirewallRules: [{C2D03C7F-2EF7-47FA-B5C6-4833CCE031FA}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{22B9F8E3-1A6F-4CC1-A125-556A5B451089}] => C:\Program Files (x86)\AVG\AVG2012\avgnsa.exe
FirewallRules: [{BA0ED486-49B1-4CF6-8C03-27FE827F3496}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{89B03729-F3F7-47F3-AF32-3D7CB32AE6A7}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{CF653EC2-7795-4B74-895C-FD739BF246AB}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
FirewallRules: [{98C01575-0A14-47B1-960E-02F23B3F1E96}] => C:\Program Files (x86)\AVG\AVG2012\avgdiagex.exe
c:\windows\syswow64\mfc42u32.exe
C:\Program Files (x86)\Windows iLivid Toolbar
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 flashfoxx

flashfoxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 11 February 2017 - 12:26 PM

I have followed through with what you said and here is my fixlog

Attached Files



#8 flashfoxx

flashfoxx
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 11 February 2017 - 02:27 PM

Satchfan, I think you have solved and fixed my computer problem because I don't see the secure search engine popping up anymore. I also haven't experienced any redirection on link clicks yet. I will let you know if anything happens but thank you very much. I will buy you a beer :)

 

by the way, do you recommend any other anti-virus programs that can avoid this problem in the future?


Edited by flashfoxx, 11 February 2017 - 02:28 PM.


#9 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:56 AM

Posted 11 February 2017 - 06:56 PM

I’m pleased to hear that things are now OK.

Antivirus

Although you have the new Malwarebytes version, I’d still suggest that you install and run one of the following alongside it:


Free Avast Home Edition
Microsoft Security Essentials

 

===================================================

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore


  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Update installed programs

Your version of Java is out-of-date and need to be removed and updated.

Having the latest updates and removing old versions ensures there are no security vulnerabilities in your system.

Uninstall:


Java 8 Update 51
 

If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

NEXT

Install the latest version of Java:

Java

NOTE – when you install Java, before clicking on Install, be sure to Uncheck “Install the Ask Toolbar and make Ask my default search provider”

Even though I just had you get the latest version of Java, there is a vulnerability with regards to Java and web browsers. Therefore, we recommend to disable java in web browsers.

More information can be found here.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#10 satchfan

satchfan

  • Malware Response Team
  • 2,723 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:04:56 AM

Posted 13 February 2017 - 03:30 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users