Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ciuvo.com subframe in Google Chrome Browser Task Manager - No Extension


  • Please log in to reply
10 replies to this topic

#1 craiglambie

craiglambie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 25 July 2018 - 04:16 AM

I have had some computer slow down issues lately, so did some checking on lots of things including scanning using multiple virus and malware/ adaware scanners etc, and still found multiple sub frames appearing in google Chrome browser Task Manager.

AjdP7.jpg

Any ideas on what this is? How to stop it?

I have done/ checked these sites with no luck so far finding the culprit program or extension that is causing it.
https://www.pcrisk.com/removal-guides/8200-ciuvo-ads
https://www.2-spyware.com/remove-ciuvo-ads.html
https://www.pc-risk.com/remove-ciuvo-price-comparison

I have also tried MalwareBytes, 360 Total Security, Avast and Spyware Search & Destroy.  Also ran GMER and TDSS as per this post on SuperUser.

My FRST file Attached File  FRST.txt   149.45KB   43 downloads

My addtions file Attached File  Addition.txt   116.99KB   42 downloads

 

Thanks so much for your help



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 25 July 2018 - 09:50 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
CloseProcesses:

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
HKU\S-1-5-21-2556824045-3075941125-933954454-1002\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
ProxyEnable: [S-1-5-21-2556824045-3075941125-933954454-1006] => Proxy is enabled.
ProxyServer: [S-1-5-21-2556824045-3075941125-933954454-1006] => http=127.0.0.1:8555;https=127.0.0.1:8555
ProxyEnable: [S-1-5-21-2556824045-3075941125-933954454-1007] => Proxy is enabled.
ProxyEnable: [S-1-5-21-2556824045-3075941125-933954454-1008] => Proxy is enabled.
ProxyServer: [S-1-5-21-2556824045-3075941125-933954454-1008] => http=127.0.0.1:8555;https=127.0.0.1:8555
HKU\S-1-5-21-2556824045-3075941125-933954454-1002\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.google.com/?bcutc=sp-006
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1002 -> URL hxxp://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP9C2D6495-CC84-479D-955C-225DDC90BFD3&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1006 -> URL hxxp://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP9C2D6495-CC84-479D-955C-225DDC90BFD3&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1007 -> URL hxxp://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP9C2D6495-CC84-479D-955C-225DDC90BFD3&q={searchTerms}&SSPV=
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1008 -> URL hxxp://search.conduit.com/Results.aspx?ctid=CT3321897&octid=EB_ORIGINAL_CTID&SearchSource=58&CUI=&UM=4&UP=SP9C2D6495-CC84-479D-955C-225DDC90BFD3&q={searchTerms}&SSPV=
Toolbar: HKLM - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
Toolbar: HKLM-x32 - No Name - {95B7759C-8C7F-4BF1-B163-73684A933233} -  No File
CHR StartupUrls: Profile 5 -> "hxxp://www.delta-search.com/?affID=119816&tt=190313_wctrl&babsrc=HP_ss&mntrId=12D600FFB0D60FA3","hxxp://mysearch.avg.com?cid={EFE71494-6FB5-496B-9068-18A11D0F7E6E}&mid=6dca6c9cbb8247d2a1e2ddc2bb4311bc-2db31934d8379dde511ccb5a675623e049438b2a&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-27 06:36:40&v=17.3.1.91&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={EFE71494-6FB5-496B-9068-18A11D0F7E6E}&mid=6dca6c9cbb8247d2a1e2ddc2bb4311bc-... (long line)

Task: {3C2E0351-27AC-40FB-BAF2-7789F747AEC0} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {6E0CA804-2C45-4065-8B2C-A2AA4ED609BF} - \Microsoft\Windows\Setup\GWXTriggers\Telemetry-4xd -> No File <==== ATTENTION
Task: {9F5A90DE-8E82-4622-A156-A2634B44D53E} - \Microsoft\Windows\Setup\GWXTriggers\MachineUnlock-5d -> No File <==== ATTENTION
Task: {A909C1C9-2AA1-4827-8C99-F60021DF5817} - \Microsoft\Windows\Setup\GWXTriggers\OutOfSleep-5d -> No File <==== ATTENTION
Task: {D551788B-332C-4D38-80F3-9D83A34772A0} - \Microsoft\Windows\Setup\GWXTriggers\Time-5d -> No File <==== ATTENTION
Task: {E0F0DB4B-CB8D-4DB7-AD12-CCC1BB9C738B} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle-5d -> No File <==== ATTENTION
Task: {F934180A-E9FD-4000-AD39-848A4081A458} - System32\Tasks\{CF801862-3E64-4577-8078-1FFE1213DAA4} => "c:\program files (x86)\google\chrome\application\chrome.exe" hxxp://ui.skype.com/ui/0/7.25.0.106/en/go/help.faq.installer?LastError=1618
AlternateDataStreams: C:\Users\Craig\Cookies:79eGyO9BTtgbSZqgBxXv [2120]

RemoveProxy:

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

FF Extension: (Stylish - Custom themes for any website) - C:\Users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\6lgzu57s.default-1434536932056\Extensions\{46551EC9-40F0-4e47-8E18-8E5CF550CFB8}.xpi [2018-02-14]

No longer recommended.
Read about it.
https://www.bleepingcomputer.com/news/software/chrome-and-firefox-pull-stylish-add-on-after-report-it-logged-browser-history/

As suggested install this one.
https://addons.mozilla.org/en-US/firefox/addon/styl-us/
<<<>>>

Please post the Fixlog.txt and let me know if the problem persists.

#3 craiglambie

craiglambie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 26 July 2018 - 12:50 AM

Thanks for that, amazing stuff Naasdaq - has definitely helped somewhat.

 

Seems to still be something going on.

 

FixLog Attached File  Fixlog.txt   11.88KB   41 downloads

 

FRST new scan Attached File  FRST.txt   149.91KB   41 downloads

 

Addition new scan Attached File  Addition.txt   126.12KB   40 downloads

 

Attached File  2018-07-26_12-07-14.jpg   95.89KB   0 downloads


Edited by craiglambie, 26 July 2018 - 01:01 AM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 26 July 2018 - 07:51 AM

Hi,

These were not removed. Please run this fix.

Press the Windows key + r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.


Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1002 -> SuggestionsURL_JSON hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1006 -> SuggestionsURL_JSON hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1007 -> SuggestionsURL_JSON hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
SearchScopes: HKU\S-1-5-21-2556824045-3075941125-933954454-1008 -> SuggestionsURL_JSON hxxp://suggest.search.conduit.com/CSuggestJson.ashx?prefix={searchTerms}
CHR StartupUrls: Profile 5 -> "hxxp://www.delta-search.com/?affID=119816&tt=190313_wctrl&babsrc=HP_ss&mntrId=12D600FFB0D60FA3","hxxp://mysearch.avg.com?cid={EFE71494-6FB5-496B-9068-18A11D0F7E6E}&mid=6dca6c9cbb8247d2a1e2ddc2bb4311bc-2db31934d8379dde511ccb5a675623e049438b2a&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2014-01-27 06:36:40&v=17.3.1.91&pid=safeguard&sg=&sap=hp","hxxp://mysearch.avg.com?cid={EFE71494-6FB5-496B-9068-18A11D0F7E6E}&mid=6dca6c9cbb8247d2a1e2ddc2bb4311bc-... (long line)

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======


Please post the logs let me know what problem persists with this computer.
===

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 01 August 2018 - 07:26 AM

Are you still with me?

#6 craiglambie

craiglambie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 01 August 2018 - 08:30 PM

Sorry for the delay Nasdaq, and thanks so much for following up - I was putting up with the frustration of slow operation, but took the time to do this after your nudge, so thanks so much!! :)
 

Here is the FixLog from FRST Attached File  Fixlog.txt   3.19KB   39 downloads

and here is the report from RogueKiller - no red ones appeared - Attached File  ReportRogue.txt   25.87KB   42 downloads

 

Here is the Chrome Task Manager after RogueKiller and reset - Attached File  afterRogueKiller.jpg   93.46KB   0 downloads I can see doubleclick.net as a subframe still ?  Should I remove all the stuff on the RogueKiller report?

 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 02 August 2018 - 07:35 AM

Hi,

I would like to see the report before suggesting removal.

Please post it.

#8 craiglambie

craiglambie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 03 August 2018 - 05:44 AM

Is this what you need, or something else?

ReportRogue.txt
 



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 03 August 2018 - 07:52 AM

Hi,

You can remove these entries with the RogueKiller.

[PUP.Gen1] (X64) HKEY_USERS\S-1-5-21-2556824045-3075941125-933954454-1002\Software\ProductSetup -> Found
[PUP.Gen1] (X86) HKEY_USERS\S-1-5-21-2556824045-3075941125-933954454-1002\Software\ProductSetup -> Found

Restart the computer then done.

==

I can see doubleclick.net as a subframe still

Your Chrome Profile may have been compromised.

For your sake of mind execute this.

:step1: Remove Chrome from your Computer and reinstall a fresh copy later.

:step2: Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

How To: http://ccm.net/faq/31791-how-to-backup-your-google-chrome-bookmarks

:step3: If you sync you account you must remove it before you save your bookmarks etc...
Delete Your Google Chrome Browser Sync Data if you sync with other defices. <- Important ...
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

:step4: Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

:step5: Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

:step6: Re-install Chrome and the Bookmarks.
====

Keep me posted.

#10 craiglambie

craiglambie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:02 PM

Posted 07 August 2018 - 02:32 AM

Nasdaq - Thanks so much!! I think it is sorted now!! Finally :)

 

I have fully reinstalled Chrome as suggested and all the scanning.

My computer appears to be running slightly more smoothly now.  Probably needs a full reinstall of Windows, but Win 10 is pretty good at not needing that I think I can wait until I have the cash set aside for a bigger SSD and can dual boot with Ubuntu - my ultimate goal :)

 

Thanks again.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,498 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:02 AM

Posted 07 August 2018 - 05:58 AM

Glad we could help.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users