Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware/Adware infection-Help Please


  • Please log in to reply
5 replies to this topic

#1 diamag

diamag

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 11 April 2017 - 08:50 PM

I'm running Windows 10 Home. 

 

I was redirected to a malicious website when I typed "shareownerservices dot com" into Firefox. It opened up a popup and had an automated message playing saying that I should not do any shopping from my computer until I called the number to get the adware/malware removed. I copied these links from my browser history. I was able to close the tab. Shortly after I was able to visit malwarebytes.com and install. I have run both malwarebytes full scans including rootkits and norton scans and neither are turning up anything. My browsers began acting up and were unable to load a webpage. I was able to reboot in safe mode with networking and reinstall chrome and it seems to be working without issue so far. I have yet to reinstall firefox.  I was able to bypass norton and install FRST. I have also install ADWCleaner, which is detecting a few threats. However I am not able to determine whether these are actual threats or just system processes. I have not seen any other pop ups appear. 

 

Help is greatly appreciated. I just want to make sure my computer is safe to use again. 

 

Thank you. 



BC AdBot (Login to Remove)

 


#2 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:19 PM

Posted 12 April 2017 - 07:10 AM

Welcome to BC....

 

Use the programs below to clean, remove adware and remove malware. Use the instructions to post what AdwCleaner found. The popup

may have been delivered by a legit ad server or it may have been delivered by a hacked website or malicious website. Do you have an ad blocker installed

in your browsers?

 

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use the

Registry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.

After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.

CCleaner - PC Optimization and Cleaning - Free Download

 

Download AdwCleaner by Xplode onto your desktop.

  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Scan button.
  • When the scan has finished click on Clean button.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
  • download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message
  • Please download Security Check by glax24 and save the file to the Desktop
  • Run the tool by accepting all the Security prompts
  • when complete the tool will produce a log file C:\SecurityCheck\SecurityCheck.txt and also copy the contents to the Clipboard
  • Simply Paste the log to your reply

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#3 diamag

diamag
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 12 April 2017 - 07:38 PM

Here are the logs from the programs you instructed me to run. I am including the log from the inital ADWcleaner scan that I ran yesterday as well as the most recent one. 

 

Thanks,

 

# AdwCleaner v6.045 - Logfile created 11/04/2017 at 20:54:12
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-11.1 [Local]
# Operating System : Windows 10 Home  (X64)
# Username : Marshall - HEISENBERG
# Running from : C:\Users\Marshall\Desktop\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
[-] Folder deleted: C:\Users\Marshall\AppData\Local\YSearchUtil
[-] Folder deleted: C:\Program Files (x86)\Yahoo!\yset
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! SearchSet
[-] Key deleted: HKU\S-1-5-21-3374429076-3286234791-3275610506-1002\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[#] Key deleted on reboot: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
 
 
***** [ Web browsers ] *****
 
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1368 Bytes] - [11/04/2017 20:54:12]
C:\AdwCleaner\AdwCleaner[S0].txt - [1648 Bytes] - [11/04/2017 20:08:30]
C:\AdwCleaner\AdwCleaner[S1].txt - [1720 Bytes] - [11/04/2017 20:16:19]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [1587 Bytes] ##########
 
# AdwCleaner v6.045 - Logfile created 12/04/2017 at 19:14:26
# Updated on 28/03/2017 by Malwarebytes
# Database : 2017-04-12.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Marshall - HEISENBERG
# Running from : C:\Users\Marshall\Desktop\AdwCleaner.exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
[-] [C:\Users\Marshall\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Marshall\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] [Search Provider] Deleted: ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C0].txt - [1670 Bytes] - [11/04/2017 20:54:12]
C:\AdwCleaner\AdwCleaner[C2].txt - [1059 Bytes] - [12/04/2017 19:14:26]
C:\AdwCleaner\AdwCleaner[S0].txt - [1648 Bytes] - [11/04/2017 20:08:30]
C:\AdwCleaner\AdwCleaner[S1].txt - [1720 Bytes] - [11/04/2017 20:16:19]
C:\AdwCleaner\AdwCleaner[S2].txt - [1529 Bytes] - [12/04/2017 19:13:32]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C2].txt - [1351 Bytes] ##########
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 10 Home x64 
Ran by Marshall (Administrator) on Wed 04/12/2017 at 19:31:21.02
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 2 
 
Successfully deleted: C:\WINDOWS\SysWOW64\REN2BAD.tmp (File) 
Successfully deleted: C:\WINDOWS\SysWOW64\REN811D.tmp (File) 
 
 
 
Registry: 1 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Wed 04/12/2017 at 19:32:29.19
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 

SecurityCheck by glax24 & Severnyj v.1.4.0.47 [25.03.17]
WebSite: www.safezone.cc
DateLog: 12.04.2017 19:32:51
Path starting: C:\Users\Marshall\AppData\Local\Temp\SecurityCheck\SecurityCheck.exe
Log directory: C:\SecurityCheck\
IsAdmin: True
User: Marshall
VersionXML: 4.08is-11.04.2017
___________________________________________________________________________
 
Windows 10(6.3.14393) (x64) Core Lang: English(0409)
Installation date OS: 15.10.2016 12:36:06
LicenseStatus: Office 15, OfficeProPlusR_Retail edition The machine is permanently activated.
LicenseStatus: Windows®, Core edition The machine is permanently activated.
Boot Mode: Normal
Default Browser: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
SystemDrive: C: FS: [NTFS] Capacity: [95 Gb] Used: [78.7 Gb] Free: [16.3 Gb]
------------------------------- [ Windows ] -------------------------------
Internet Explorer 11.1066.14393.0 [+]
User Account Control enabled
Automatically download and schedule installation
Windows Update (wuauserv) - The service is running
Security Center (wscsvc) - The service is running
Remote Registry (RemoteRegistry) - The service has stopped
SSDP Discovery (SSDPSRV) - The service is running
Remote Desktop Services (TermService) - The service has stopped
Windows Remote Management (WS-Management) (WinRM) - The service has stopped
System Restore Disable
---------------------------- [ Antivirus_WMI ] ----------------------------
Windows Defender (disabled)
Norton Security (disabled)
Malwarebytes (disabled and up to date)
---------------------------- [ Firewall_WMI ] -----------------------------
Norton Security
--------------------------- [ AntiSpyware_WMI ] ---------------------------
Malwarebytes (disabled and up to date)
Windows Defender (disabled)
Norton Security (disabled)
---------------------- [ AntiVirusFirewallInstall ] -----------------------
GlassWire 1.2 (remove only) v.1.2.100
Norton Security v.22.9.1.12
-------------------------- [ SecurityUtilities ] --------------------------
Malwarebytes version 3.0.6.1469 v.3.0.6.1469
--------------------------- [ OtherUtilities ] ----------------------------
Microsoft Silverlight v.5.1.50906.0
VLC media player v.2.2.1 Warning! Download Update
-------------------------------- [ Java ] ---------------------------------
Java 8 Update 101 v.8.0.1010.13 Warning! Download Update
Uninstall old version and install new one (jre-8u121-windows-i586.exe).
--------------------------- [ AppleProduction ] ---------------------------
Bonjour v.3.1.0.1
iTunes v.12.5.1.21 Warning! Download Update
^Please use Apple Software Update tool.^
QuickTime 7 v.7.79.80.95 Warning! This software is no longer supported. Please uninstall it and use another software.
Bonjour Service (Bonjour Service) - The service is running
--------------------------- [ AdobeProduction ] ---------------------------
Adobe Flash Player 24 NPAPI v.24.0.0.194 Warning! Download Update
Adobe Acrobat Reader DC v.17.009.20044 [+]
------------------------------- [ Browser ] -------------------------------
Google Chrome v.57.0.2987.133
Mozilla Firefox 52.0.2 (x86 en-US) v.52.0.2
------------------ [ AntivirusFirewallProcessServices ] -------------------
C:\Program Files (x86)\GlassWire\GWIdlMon.exe v.1.2.100.0
GlassWire Control Service (GlassWire) - The service is running
C:\Program Files (x86)\GlassWire\GWCtlSrv.exe v.1.2.100.0
C:\Program Files\Malwarebytes\Anti-Malware\mbam.exe v.3.0.0.912
C:\Program Files\Malwarebytes\Anti-Malware\mbamtray.exe v.3.0.0.912
Malwarebytes Service (MBAMService) - The service is running
C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe v.3.1.0.415
C:\Program Files (x86)\Norton Security with Backup\Engine\22.9.1.12\nsbu.exe v.14.1.0.65
Windows Defender Service (WinDefend) - The service has stopped
Windows Defender Network Inspection Service (WdNisSvc) - The service has stopped
---------------------------- [ UnwantedApps ] -----------------------------
Unity Web Player v.5.0.1f1 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
Pando Media Booster v.2.6.0.7 Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. Possible you became a victim of fraud or social engineering.
----------------------------- [ End of Log ] ------------------------------
 


#4 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:19 PM

Posted 13 April 2017 - 05:59 AM

Uninstall these programs: (Suggest you use Download Revo Uninstaller Freeware  to uninstall the programs below)

Java 8 Update 101 v.8.0.1010.13 (Most users don't need or use Java)

QuickTime 7 v.7.79.80.95

Unity Web Player v.5.0.1f1

Pando Media Booster v.2.6.0.7

 

UPdate Adobe Flash

 

Be sure to activate/ enable either Norton or Windows Defender

 

If you don't have an ad blocker installed I recommend Adblock Plus. After installing, click on the ABP icon and choose Filter Preferences.

UNcheck the box next to Allow some non-intrusive advertisements.

Adblock Plus - Chrome Web Store   Adblock Plus :: Add-ons for Firefox   Adblock Plus for IE  Adblock Plus for Edge browser

 

You can block the ad and tracking cookies from installing. Once you have blocked their install...run CCleaner to remove the existing ones.

How to disable third-party cookies in all major web browsers


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 diamag

diamag
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:19 PM

Posted 13 April 2017 - 06:41 PM

Done. Malwarebytes and Norton are enabled and Adblockers are running. Thanks for your help Buddy215.



#6 buddy215

buddy215

  • Moderator
  • 13,134 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:06:19 PM

Posted 13 April 2017 - 07:01 PM

You're welcome....happy surfin'...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users