Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

email links redirecting to random sites & theclickcheck.com


  • Please log in to reply
16 replies to this topic

#1 zuanne

zuanne

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 10:07 AM

Hello,

I'm running Windows 7 home premium 64 bit, using Firefox 51.0.1 and Windows Live Mail.  My salon sends confirmation emails with a link to click on to confirm appointments and when I click on the link, I get redirected to random sites such as amazon, edmunds, realtor.com and then to theclickcheck.com.  I tried copying & pasting the address rather than clicking on the link button in the email, and the same thing happened. 

 

I mentioned the weird redirect to the salon the first time this happened a few months ago, and they didn't say anything about other people having this problem.  So when it happened again now, I figured it must be something with my computer.  A google search turned up that there's a clickcheck.com virus, so I ran Microsoft Security Essentials, Malwarebytes Anti-Malware & Anti-Rootkit, Kaspersky TDSS killer, and Adlice RogueKiller, but none of them found anything. 

 

This hasn't happened with other links from other senders or otherwise when I'm online, and I'm not experiencing any other computer problems (touch wood).  Can you please help me figure out what's going on?

 

thanks very much!



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 10:36 AM

Could be the salon's computer has been compromised since only their links are being misdirected.

 

Use the programs below to clean, remove adware and to remove malware. If those come up clean then I would further suspect it is the salon's problem...not your computer's problem.

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message

Please download Zemana AntiMalware and install it

  • Run the application
  • Click "Next" and then Scan
  • When the scan has finished click Next to remove any threats.
  • Click the bars in the top right corner to display the logs, double click your log
  • copy and paste the log into your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 02:32 PM

Hi Buddy- thanks so much for your help!  looks like Zemana caught "Trojan:Win32/Poweliks" that the other scans missed. I had zemana delete it (excluded a few other things it caught that I knew were OK), but still get redirected when I click on the email link.  The JRT report is too long to upload, but here are the other two logs in case you can see something else that might be causing trouble. If not, I guess it must be the salon's computer or the booking website:

 

AdwCleaner:

 

# AdwCleaner v6.044 - Logfile created 13/03/2017 at 12:11:43

# Updated on 28/02/2017 by Malwarebytes

# Database : 2017-03-13.1 [Server]

# Operating System : Windows 7 Home Premium Service Pack 1 (X64)

# Username : Suzanne - HARRYPUTER

# Running from : C:\Users\Suzanne\Desktop\AdwCleaner.exe

# Mode: Clean

# Support : https://www.malwarebytes.com/support

 

 

 

***** [ Services ] *****

 

[-] Service deleted: CouponPrinterService

 

 

***** [ Folders ] *****

 

[-] Folder deleted: C:\Users\Suzanne\AppData\Local\EmieBrowserModeList

[-] Folder deleted: C:\Users\Suzanne\AppData\Local\EmieSiteList

[-] Folder deleted: C:\Users\Suzanne\AppData\Local\EmieUserList

[-] Folder deleted: C:\Users\Suzanne\AppData\LocalLow\EmieBrowserModeList

[-] Folder deleted: C:\Users\Suzanne\AppData\LocalLow\EmieSiteList

[-] Folder deleted: C:\Users\Suzanne\AppData\LocalLow\EmieUserList

[-] Folder deleted: C:\Users\Suzanne\AppData\Roaming\catalina – print savings

[-] Folder deleted: C:\Users\Suzanne\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\catalina – print savings

[-] Folder deleted: C:\Users\Suzanne\Documents\Coupons

[-] Folder deleted: C:\Program Files (x86)\Digital Coupon Printer

[-] Folder deleted: C:\Program Files (x86)\PrintMyCouponAnywhere

 

 

***** [ Files ] *****

 

 

 

***** [ DLL ] *****

 

 

 

***** [ WMI ] *****

 

 

 

***** [ Shortcuts ] *****

 

 

 

***** [ Scheduled Tasks ] *****

 

 

 

***** [ Registry ] *****

 

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}

[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}

[-] Key deleted: HKU\S-1-5-21-352842277-3683212840-978135403-1000\Software\Microsoft\Internet Explorer\SearchScopes\{46143E6F-54CB-4807-A7CD-EA5F77C3A25B}

[-] Data restored: HKU\S-1-5-21-352842277-3683212840-978135403-1000\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{46143E6F-54CB-4807-A7CD-EA5F77C3A25B}

[-] Data restored: HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{46143E6F-54CB-4807-A7CD-EA5F77C3A25B}

[-] Data restored: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes [DefaultScope] {0633EE93-D776-472f-A0FF-E1416B8B2E3A}

[-] Key deleted: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Activities\Search\ask.com

 

 

***** [ Web browsers ] *****

 

[-] Firefox preferences cleaned:

[-] Firefox preferences cleaned:

[-] Firefox preferences cleaned:

 

 

*************************

 

:: "Tracing" keys deleted

:: Winsock settings cleared

 

*************************

 

C:\AdwCleaner\AdwCleaner[C0].txt - [3187 Bytes] - [13/03/2017 12:11:43]

C:\AdwCleaner\AdwCleaner[S0].txt - [3757 Bytes] - [13/03/2017 12:08:42]

 

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [3333 Bytes] ##########

Zemana:

 

Zemana AntiMalware 2.72.179.176 (Installed)

 

-------------------------------------------------------

Scan Result            : Completed

Scan Date              : 2017/3/13

Operating System       : Windows 7 64-bit

Processor              : 2X Intel® Pentium® CPU B950 @ 2.10GHz

BIOS Mode              : Legacy

CUID                   : 120ED7DEAD996770834AA6

Scan Type              : System Scan

Duration               : 17m 58s

Scanned Objects        : 124911

Detected Objects       : 5

Excluded Objects       : 0

Read Level             : SCSI

Auto Upload            : Enabled

Detect All Extensions  : Disabled

Scan Documents         : Disabled

Domain Info            : WORKGROUP,0,2

 

Detected Objects

-------------------------------------------------------

 

Firefox Search

Status             : Scanned

Object             : iGive - http://isearch.igive.com

MD5                : -

Publisher          : -

Size               : -

Version            : -

Detection          : Suspicious Browser Setting

Cleaning Action    : Exclude

Related Objects    :

                Browser Setting - Firefox Search

 

Firefox Search

Status             : Scanned

Object             : iGive - http://isearch.igive.com

MD5                : -

Publisher          : -

Size               : -

Version            : -

Detection          : Suspicious Browser Setting

Cleaning Action    : Exclude

Related Objects    :

                Browser Setting - Firefox Search

 

iGive Button

Status             : Scanned

Object             : %appdata%\mozilla\firefox\profiles\az9o6mxf.default\extensions\igive@igive.comholdingsllc

MD5                : -

Publisher          : -

Size               : -

Version            : -

Detection          : PUA.FirefoxExt!Gr

Cleaning Action    : Exclude

Related Objects    :

                Browser Extension - iGive Button

 

Trojan:Win32/Poweliks

Status             : Scanned

Object             : %systemroot%\system32\tasks\{b0e4f8c3-92d0-4c6c-be8d-e616175202f1}|c:\program files\internet explorer\iexplore.exe

MD5                : -

Publisher          : -

Size               : -

Version            : -

Detection          : Fileless Malware

Cleaning Action    : Delete

Related Objects    :

                Scheduled Task - C:\Windows\System32\Tasks\{B0E4F8C3-92D0-4C6C-BE8D-E616175202F1}

 

npMozCouponPrinter.dll

Status             : Scanned

Object             : %programfiles%\mozilla firefox\browser\plugins\npmozcouponprinter.dll

MD5                : B12E8BD446DC6CB9F3D4C7F54EB98DD9

Publisher          : Coupons, Inc.

Size               : 247912

Version            : 5.0.2.8

Detection          : Adware:Win32/Coupons!Es

Cleaning Action    : Exclude

Related Objects    :

                File - %programfiles%\mozilla firefox\browser\plugins\npmozcouponprinter.dll

 

 

Cleaning Result

-------------------------------------------------------

Cleaned               : 5

Reported as safe      : 0

Failed                : 0



#4 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 03:25 PM

Split the JRT log and post it.

 

Surprised you want to keep Igive...you get paid for clicking on ads. I have to wonder if that is what is responsible for redirecting your email links. Try allowing

Zemana to remove it as well as your coupon printer which was likely broken by AdwCleaner. Then reboot and see if the links are still being redirected.

 

Unless their is some private info in that email link....I would like for you to copy and paste in your next reply or send it to one of your friends or relatives to see

if the same thing happens when they click on it.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#5 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 03:32 PM

actually, FYI, the iGive.com I have is a website that donates part of online purchases to charities :) there's probably something dodgy like you describe with a similar name.  I've had it for years and it hasn't been a problem, but I'll try uninstalling everything and will see if that helps.



#6 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 03:34 PM

Run the Eset Poweliks Removal Tool. Let me know if it finds Poweliks.

ESET :: Download :: Utilities :: Detail :: Poweliks Cleaner 1


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#7 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 04:41 PM

Thanks Buddy

sent the email link to a friend to try, and she couldn't connect- kept timing out.  I'm not eager to post it online for all the world to click on- could I dm you or something?

 

eset said no poweliks found (hooray?)

 

JRT file is >100 pages long, most of which is variations of:  "Successfully deleted: C:\Users\Suzanne\AppData\Local\{000B230C-E111-4F80-A0A9-2802D787DF83} (Empty Folder)" but with different numbers in the brackets.

 

after all of those the following are listed:

Successfully deleted: C:\Windows\couponprinter.ocx (File)
Successfully deleted: C:\Windows\wininit.ini (File)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1YIGW5UZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3G7D7IEW (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5B59WS5S (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Q042ZJH (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BITQUCK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HHG84JI (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7IZFDTQX (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99413T30 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A35T5ZZN (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADII32AR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA32HG3P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BREA3J1M (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C83DZ7L7 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DDZ0EHV9 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DH3M8KKJ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6WMCSR (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FQRIGDA1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9UZJS0P (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILG33RKC (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCADBARA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDBPDY3D (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U90N2Q78 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRCN3A1U (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XYBXTYAZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Suzanne\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBBGBL97 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0PS72R2M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1YIGW5UZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3G7D7IEW (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5B59WS5S (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\62AXOPQ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Q042ZJH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BITQUCK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7HHG84JI (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7IZFDTQX (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\99413T30 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A35T5ZZN (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ADII32AR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BA32HG3P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BREA3J1M (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C83DZ7L7 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DDZ0EHV9 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DH3M8KKJ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6WMCSR (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FQRIGDA1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FZG8CKJ5 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G9UZJS0P (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ILG33RKC (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCADBARA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KDBPDY3D (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LIXMVQOA (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\U90N2Q78 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VRCN3A1U (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XYBXTYAZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZBBGBL97 (Temporary Internet Files Folder)

Deleted the following from C:\Users\Suzanne\AppData\Roaming\Mozilla\Firefox\Profiles\az9o6mxf.default\prefs.js
user_pref(extensions.iGive@iGive.comHoldingsLLC.IGiveButton_v8_balance, \{\\\balance\\\:{\\\ab\\\:\\\12,131.71\\\,\\\nm\\\:\\\Suzanne\\\,\\\cid\\\:\\\6963\\\
user_pref(extensions.iGive@iGive.comHoldingsLLC.IGiveButton_v8_domain_cache, [\abcmouse.com\,\abebooks.com\,\ahalife.com\,\airfrance.us\,\ajmadison.com\,\alamo.c
user_pref(extensions.iGive@iGive.comHoldingsLLC.IGiveButton_v8_tracking_enabled, \<html>\\r\\n\\t\\r\\n\\t\\r\\n\\t\\t<head>\\r\\n\\t\\t\\t\\r\\n\\t\\t\\t<script language=



Registry: 8

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9984D1BC-40AB-4558-BB56-0C74AB76E25F} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{b7fca997-d0fb-4fe0-8afd-255e89cf9671} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C33FB3FD-4199-4DE5-B147-B269BEA02745} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{d43b3890-80c7-4010-a95d-1e77b5924dc3} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{C33FB3FD-4199-4DE5-B147-B269BEA02745} (Registry Key)

 

Just ran zemana again and got a clean result:

 

Zemana AntiMalware 2.72.179.176 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2017/3/13
Operating System       : Windows 7 64-bit
Processor              : 2X Intel® Pentium® CPU B950 @ 2.10GHz
BIOS Mode              : Legacy
CUID                   : 120ED7DEAD996770834AA6
Scan Type              : System Scan
Duration               : 12m 30s
Scanned Objects        : 119902
Detected Objects       : 0
Excluded Objects       : 0
Read Level             : SCSI
Auto Upload            : Enabled
Detect All Extensions  : Disabled
Scan Documents         : Disabled
Domain Info            : WORKGROUP,0,2

Detected Objects
-------------------------------------------------------

No threats detected



#8 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 04:57 PM

You must not of run CCleaner before running JRT or you didn't allow CCleaner to remove all of the temporary files. That would account for

all the temporary files JRT removed.

 

If the link doesn't contain anything you would prefer I not know such as your name, account specifics, etc. then...yes, you can pm me. I will

attempt to find the properties of that link.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#9 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 05:18 PM

thanks- just pm-ed you the email link.  nothing horribly personal or private- just didn't think it would be good to post online for all the world to click on :)



#10 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 05:42 PM

You are a victim of theclickcheck.com

 

It could still be the salon's problem. That link's properties is exceptionally long...

You should ask them to click on the link they sent you. I clicked on the link and it took me to theclickcheck.com.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#11 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 05:55 PM

Run CCleaner per the directions above and then do this:

 

Open CCleaner and click on Tools. Choose Startups. On that page you will see a list of Windows Startups and at the top tabs for each browser and Scheduled Tasks.

At the bottom right of that page you will see a button when clicked will allow you to Copy and Paste the list of Windows Startups and Scheduled Tasks into your next

post. Please do that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#12 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 06:08 PM

OK, I think I did it correctly this time (sorry)

here are the windows startups:

 

No    HKCU:Run    Amazon Music        "C:\Users\Suzanne\AppData\Local\Amazon Music\Amazon Music Helper.exe"
No    HKCU:Run    AmazonMP3DownloaderHelper    Amazon Services LLC    C:\Users\Suzanne\AppData\Local\Program Files\Amazon\MP3 Downloader\AmazonMP3DownloaderHelper.exe
No    HKCU:Run    MoneyAgent    Microsoft Corporation    "C:\Program Files (x86)\Microsoft Money\System\mnyexpr.exe"
No    HKLM:Run    Adobe ARM    Adobe Systems Incorporated    "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
No    HKLM:Run    APSDaemon    Apple Inc.    "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
No    HKLM:Run    ATT_McciTrayApp        "C:\Program Files\ATT\8.4.1.11\ma\bin\pcTrayApp.exe"
No    HKLM:Run    Cisco AnyConnect Secure Mobility Agent for Windows    Cisco Systems, Inc.    "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" -minimized
Yes    HKLM:Run    Digital Coupon Print Driver        "C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe"
Yes    HKLM:Run    GwxControlPanelMonitor    UltimateOutsider    "C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe" /traymode
No    HKLM:Run    HotKeysCmds    Intel Corporation    C:\Windows\system32\hkcmd.exe
No    HKLM:Run    HP Quick Launch    Hewlett-Packard Development Company, L.P.    C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch\HPMSGSVC.exe
No    HKLM:Run    HP Software Update    Hewlett-Packard    C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
No    HKLM:Run    HPConnectionManager    Hewlett-Packard Development Company L.P.    C:\Program Files (x86)\Hewlett-Packard\HP Connection Manager\HPCMDelayStart.exe
No    HKLM:Run    HPOSD    Hewlett-Packard Development Company, L.P.    C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
No    HKLM:Run    HPQuickWebProxy    Hewlett-Packard Company    "C:\Program Files (x86)\Hewlett-Packard\HP QuickWeb\hpqwutils.exe"
Yes    HKLM:Run    Http Listener        C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe
No    HKLM:Run    IgfxTray    Intel Corporation    C:\Windows\system32\igfxtray.exe
Yes    HKLM:Run    iTunesHelper    Apple Inc.    "C:\Program Files\iTunes\iTunesHelper.exe"
Yes    HKLM:Run    Malwarebytes Anti-Exploit    Malwarebytes Corporation    C:\Program Files (x86)\Malwarebytes Anti-Exploit\mbae.exe
Yes    HKLM:Run    MSC    Microsoft Corporation    "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
No    HKLM:Run    Persistence    Intel Corporation    C:\Windows\system32\igfxpers.exe
No    HKLM:Run    SetDefault    Hewlett-Packard Development Company, L.P.    C:\Program Files\Hewlett-Packard\HP LaunchBox\SetDefault.exe
Yes    HKLM:Run    SunJavaUpdateSched    Oracle Corporation    "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
No    HKLM:Run    SynTPEnh    Synaptics Incorporated    %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
No    HKLM:Run    SysTrayApp    IDT, Inc.    C:\Program Files\IDT\WDM\sttray64.exe
No    HKLM:Run    UnThreat        "C:\Program Files (x86)\UnThreat AntiVirus\UnThreat.exe" -silent
Yes    HKLM:Run    ZAM    Copyright 2017.    "C:\Users\Suzanne\Documents\Anti-Virus\Zemana AntiMalware\ZAM.exe" /minimized
No    Startup Common    HP Digital Imaging Monitor.lnk    Hewlett-Packard Co.    C:\PROGRA~2\HP\DIGITA~1\bin\hpqtra08.exe
No    Startup User    Dropbox.lnk    Dropbox, Inc.    C:\Users\Suzanne\AppData\Roaming\Dropbox\bin\Dropbox.exe /systemstartup
 

 

And the scheduled tasks:

 

Yes    Task    Adobe Acrobat Update Task    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Yes    Task    CCleanerSkipUAC        "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    Microsoft Office 15 Sync Maintenance for HARRYPUTER-Suzanne HarryPuter    Microsoft Corporation    C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe
Yes    Task    {21B6121C-5EFE-41A2-81D7-C76709E45992}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "F:\USB to IrDA  Wireless Bridge\HE120\win driver\Setup.exe" -d "F:\USB to IrDA  Wireless Bridge\HE120\win driver"
Yes    Task    {340E0CC5-D33C-4896-8657-CFFF15909E85}        C:\Users\Suzanne\Downloads\QponPrinter.exe
Yes    Task    {372ED2DA-B194-4CCA-9640-403317681E29}        C:\Program Files (x86)\Microsoft Office\Office10\WINWORD.EXE
Yes    Task    {4E677D5F-D099-491F-A389-819F4B6B91E3}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\Suzanne\Downloads\jre-8u101-windows-i586-iftw.exe -d C:\Users\Suzanne\Downloads
Yes    Task    {6CD6F6A1-22DD-4AEB-AC93-40A59C695447}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "F:\USB2.0&1394 HOST(PCI)\windows\EHCI_144.EXE" -d "F:\USB2.0&1394 HOST(PCI)\windows"
Yes    Task    {78178484-AF85-4A0A-A0AD-EF22032167E0}        C:\Users\Suzanne\Downloads\QponPrinter.exe
Yes    Task    {B9FB318B-1C32-40A7-924B-221C986F95CE}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a "F:\USB2.0&1394 HOST(PCI)\windows\EHCI_152.EXE" -d "F:\USB2.0&1394 HOST(PCI)\windows"
 



#13 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 06:32 PM

Disable these Windows Startups: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    HKLM:Run    Digital Coupon Print Driver        "C:\Program Files (x86)\Digital Coupon Printer\DigitalCouponPrinter.exe"
Yes    HKLM:Run    GwxControlPanelMonitor    UltimateOutsider    "C:\Program Files (x86)\UltimateOutsider\GWX Control Panel\GWX_control_panel.exe" /traymode

Yes    HKLM:Run    Http Listener        C:\Program Files (x86)\PrintMyCouponAnywhere\PrintMyCouponAnywhere.exe

Yes    HKLM:Run    iTunesHelper    Apple Inc.    "C:\Program Files\iTunes\iTunesHelper.exe"

 

Uninstall UnThreat AntiVirus if it is still installed on your computer. Use Download Revo Uninstaller Freeware to uninstall it.

 

Disable these Scheduled Tasks: Use CCleaner by clicking on each item and choosing Disable on the right.

Yes    Task    Adobe Acrobat Update Task    Adobe Systems Incorporated    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Yes    Task    CCleanerSkipUAC        "C:\Program Files\CCleaner\CCleaner.exe" $(Arg0)
Yes    Task    Microsoft Office 15 Sync Maintenance for HARRYPUTER-Suzanne HarryPuter    Microsoft Corporation    C:\Program Files\Microsoft Office 15\Root\Office15\MsoSync.exe
Yes    Task    {340E0CC5-D33C-4896-8657-CFFF15909E85}        C:\Users\Suzanne\Downloads\QponPrinter.exe

Yes    Task    {372ED2DA-B194-4CCA-9640-403317681E29}        C:\Program Files (x86)\Microsoft Office\Office10\WINWORD.EXE
Yes    Task    {4E677D5F-D099-491F-A389-819F4B6B91E3}    Microsoft Corporation    C:\Windows\system32\pcalua.exe -a C:\Users\Suzanne\Downloads\jre-8u101-windows-i586-iftw.exe -d C:\Users\Suzanne\Downloads

Yes    Task    {78178484-AF85-4A0A-A0AD-EF22032167E0}        C:\Users\Suzanne\Downloads\QponPrinter.exe


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#14 zuanne

zuanne
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 13 March 2017 - 06:56 PM

Thanks Buddy,

I disabled all except:

Yes    Task    {372ED2DA-B194-4CCA-9640-403317681E29}        C:\Program Files (x86)\Microsoft Office\Office10\WINWORD.EXE

which produced an error message "Failed to enable/disable startup item: no mapping between account names and security IDs was done"

 

Could not find UnThreat AntiVirus on my machine



#15 buddy215

buddy215

  • BC Advisor
  • 12,908 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:23 PM

Posted 13 March 2017 - 07:12 PM

For now....let me know what the salon has to say about clicking on that link it sent you.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users