Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clearscreen player has defied removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 Dicedawg

Dicedawg

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 30 March 2017 - 11:13 PM

Well here I am, back again to the heros at Bleeping Computer who have saved me several over the last 10 years. 

So, yes I have tried many of the basics, btw actually thought I had cured it back in Jan17  worked well for a while- running a new bug squasher you guys had up online as a good solution (I dont see it on your download list anymore and I have since removed it), then Chrome icons start to not fire off again.

So I have tried to remove this in control panel and it gives a message that the network drive is unavailable... this PC has never been hooked to a Network...

Now every restart it displays the message that Clearscreen player cannot find a connection...(pnge below) 

Ran:

Malwarebytes Antimalware and its sister AdwCleaner...

SuperAntispyware

Emisoft

Junkware removal tool

Microsoft Security Essentials does warn that it sees signs of some Malware, but comes up empty.

ran RKill then reran some of these to try and nip it in the bud... Rkill only found one correction it made concerning the ASUS Wow64 jazz.

Whats maddening to me is that this is supposed to be just a nuisance PUP, but this puppy has grown legs.

Hoping you guys can help me, once again, to put this bug down and get me up and running, un-annoyed once again!


DiceDawg

Pickleball Rocks!  :bananas: 


BC AdBot (Login to Remove)

 


#2 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 30 March 2017 - 11:44 PM

O yea ... my PC details:

ASUS notebook K52/62 series
Intel Core i3 cpu
m350 @ 2.27 Ghz 
2.27 GHz
Memory: 4 GB RAM, 3.97 useable
64 bit OS
Windows 7 home premium
SP1

DiceDawg

Pickleball Rocks!  :bananas: 


#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:41 AM

Posted 01 April 2017 - 08:01 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for further instructions.

#4 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 02 April 2017 - 01:57 PM

Thanks Nasdaq,

I saw those instructions but thought I'd first see if there was a simple step i may have missed to resolve this quickly with some new software product!

 

Attached please find my  logs.

Attached Files


DiceDawg

Pickleball Rocks!  :bananas: 


#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:41 AM

Posted 03 April 2017 - 07:02 AM

Remove this program in bold via the Control Panel > Programs > Programs and Features.
ClearScreen Player (HKLM-x32\...\{1A9F662A-B086-4F2F-A2A3-D9E33775EB41}) (Version: 1.6.2.2 - ClearScreen Player)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [ClearScreen Player] => C:\Program Files (x86)\ClearScreenPlayer\ClearScreenPlayer.exe [439712 2016-08-04] ()
HKU\S-1-5-21-3638961287-2488844582-1165135478-1000\...\Run: [ClearScreen Player] => C:\Program Files (x86)\ClearScreenPlayer\ClearScreenPlayer.exe [439712 2016-08-04] ()
HKU\S-1-5-21-3638961287-2488844582-1165135478-1000\...\MountPoints2: {e233a97f-8b2a-11df-a6d1-806e6f6e6963} - E:\start.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Toolbar: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-28]
CHR Extension: (Chrome Media Router) - C:\Users\asus\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-04-01]
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.25.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{590C4387-5EBD-4D46-8A84-CD0BA2EF2856}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.30.3\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{59B55F04-DE14-4BB8-92FF-C4A22EF2E5F4}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.31.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{793EE463-1304-471C-ADF1-68C2FFB01247}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.29.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{CC182BE1-84CE-4A57-B85C-FD4BBDF78CB2}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.29.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3638961287-2488844582-1165135478-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\asus\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
AlternateDataStreams: C:\ProgramData\Temp:2F370DA6 [266]
AlternateDataStreams: C:\ProgramData\Temp:4CF61E54 [260]
AlternateDataStreams: C:\ProgramData\Temp:A724744F [246]
AlternateDataStreams: C:\ProgramData\Temp:AB689DEA [256]
C:\Program Files (x86)\ClearScreenPlayer
C:\Users\asus\AppData\Local\ClearScreenPlayer

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixldog.txt and let me know what problem persists.

#6 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 03 April 2017 - 10:12 AM

cannot remove ClearScreen Player from the usual control panel method, It responds that the origin was from a network server....

This Laptop has never been on a Network...


DiceDawg

Pickleball Rocks!  :bananas: 


#7 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 03 April 2017 - 10:24 AM

Forgot to mention, as I was thinking this to be a Google issue as we are running 6 different google accounts, when Google is first fired up is displays a PROFILE ERROR message...

Just now occurred to me that the message is part of this THUG bug on the laptop that I was assuming to be the Clearscreen Player PUP.

 

So should I run the script you provided even without being able to remove ClearScreen Player via Control Panel?


DiceDawg

Pickleball Rocks!  :bananas: 


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:41 AM

Posted 03 April 2017 - 12:43 PM

Just remove CleanScreen via the Control panel.

Make sure that both of the folders in bold are gone. If not Delete them

C:\Program Files (x86)\ClearScreenPlayer
C:\Users\asus\AppData\Local\ClearScreenPlayer

After a restart let me know if the Chrome problem persists
Give me the full message if you can.

#9 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 10:45 AM

Once again, I cannot remove Clearscreen via Control Panel, it will not allow, displaying a message that the network drive is not available....

 

I will remove the 2 designated folders.


DiceDawg

Pickleball Rocks!  :bananas: 


#10 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 12:58 PM

Control Panel still could not remove CleanScreen, see attached png of message below.

 

Eliminated the 2 folders above and rebooted.

Chrome seems to run better now and no message about profile error.

 

Should I run FRST after first saving the code in notepad as prior instructed?

 

Kent 

Attached Files


DiceDawg

Pickleball Rocks!  :bananas: 


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:04:41 AM

Posted 04 April 2017 - 01:33 PM

Lets see what we can find in the Registry.

Farbar Recovery Scan Tool (FRST) - Registry Search
Follow the instructions below to download and execute a Registry search on your system with FRST, and provide the log in your next reply.
  • Right-click on the executable and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Accept the disclaimer by clicking on Yes, and FRST will then do a back-up of your Registry which should take a few seconds;
  • In the Search text area, copy and paste the following:
ClearScreenPlayer
  • Once done, click on the Search Registry button and wait for FRST to finish the search;
  • On completion, a log will open in Notepad. Copy and paste its content in your next reply;
Now search the Registry.

Please run the Farbar Recovery Scan Tool. Enter ClearScreenPlayer in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.
<<<>>>

Delete all the files/folders in the ...\local\Temp\ in the \temp folder NOT THE \TEMP FOLDER.

Restart the computer normally.

How is it now?

#12 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 10:13 PM

Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by asus (04-04-2017 21:48:38)
Running from C:\Users\asus\Desktop\bleeping computer
Boot Mode: Normal
 
================== Search Registry: "ClearScreenPlayer" ===========
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Users\asus\AppData\Local\ClearScreenPlayer\"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders]
"C:\Program Files (x86)\ClearScreenPlayer\"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\SUPERAntiSpyware.com\SUPERAntiSpyware\InUseFiles]
"File0"="C:\USERS\ASUS\APPDATA\LOCAL\CLEARSCREENPLAYER\CLEARSCREENPLAYERBROWSER.EXE"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ClearScreenPlayer]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"ClearScreenPlayer.exe"="11000"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ClearScreen Player"=""C:\Program Files (x86)\ClearScreenPlayer\ClearScreenPlayer.exe" /autostart=1"
[HKEY_USERS\S-1-5-21-3638961287-2488844582-1165135478-1000\Software\ClearScreenPlayer]
[HKEY_USERS\S-1-5-21-3638961287-2488844582-1165135478-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"ClearScreen Player"=""C:\Program Files (x86)\ClearScreenPlayer\ClearScreenPlayer.exe" /autostart=1"
 
====== End of Search ======

DiceDawg

Pickleball Rocks!  :bananas: 


#13 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 10:21 PM

Search.txt:

 

Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by asus (04-04-2017 23:15:55)
Running from C:\Users\asus\Desktop\bleeping computer
Boot Mode: Normal
 
================== Search Files: "ClearScreenPlayer" =============
 
====== End of Search ======

DiceDawg

Pickleball Rocks!  :bananas: 


#14 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 10:50 PM

Deleted Temp folder contents...

snapshot of contents before deletion attached as word file...

Interestingly enough, I tried to use MS Paint to capture and save, but each time I clicked SAVE AS and navigated to the folder to save in...

a message appears announcing that PAINT had to shut down ... appcrash

Never had that happen before!

 

Attached Files


DiceDawg

Pickleball Rocks!  :bananas: 


#15 Dicedawg

Dicedawg
  • Topic Starter

  • Members
  • 73 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:03:41 AM

Posted 04 April 2017 - 11:05 PM

OK rebooted.

Started google and the profile error msg showed up, jpeg attached.

(as the profile error msg may be a Google issue, and can be vanquished with Google still able to work, I'm not too worried about that... unless of course this is part of the BUG!)

 

So far no Clearscreenplayer message!

 

I suppose now we should remove the 8 ClearscreenPlayer findings in the registry?

 

 

Attached Files


DiceDawg

Pickleball Rocks!  :bananas: 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users