FreshApp ads in browser, popups from pcfixing.info, etc

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lola6905, Aug 10, 2015.

  1. lola6905

    lola6905 Private E-2

    This person ran a bunch of your scanning tools last week, and I know you guys say "don't re-run the steps" ... should I re-run the scans in your "Read and run me first" guide before begging for help?
     
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi there :)

    If the steps have already been done, where are all of the requested logs? :confused
     
  3. lola6905

    lola6905 Private E-2

    Good question, which is mainly why I asked. :(

    I did some digging, and here's what I found.
    RogueKiller - could not find a log (I guess she didn't save it?)
    MalwareBytes - attached
    TDSSKiller - attached
    HitmanPro - could not find a log
    MGTools (& etc.) could not find a log

    I'm guessing the instructions weren't followed to-the-letter, and/or she didn't run all of the tools, let alone in the correct order.

    UAC was turned off and all files were shown though, so I'm thinking she followed SOME of them?
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Everything that you don't have logs for will need to be re run, in order to generate them. Thanks.
     
  5. lola6905

    lola6905 Private E-2

    Thanks, Kestrel13. I ran RogueKiller, HitmanPro and MGTools, making no changes but just running for the logs, which are attached.

    FYI I notice that HitmanPro is past its free trial, even with a reinstall (I probably used this LAST time I cleaned this laptop up for her ... *sigh* )

    Thanks in advance!
    Lois
     

    Attached Files:

  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.



    We need to run an OTL Fix

    • Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code

    Code:
    :reg
    [-HKLM\SOFTWARE\Classes\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{D879A501-50A7-BEFC-A4C5-32DC6E0CB208}]
    [-HKLM\SOFTWARE\Wow6432Node\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}]
    [-HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}]
    [-HKU\.DEFAULT\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{7F6AFBF1-E065-4627-A2FD-810366367D01}]
    [-HKU\.DEFAULT\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}]
    [-HKU\S-1-5-18\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}]
    [-HKU\S-1-5-18\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{7F6AFBF1-E065-4627-A2FD-810366367D01}]
    [-HKU\S-1-5-18\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{7F6AFBF1-E065-4627-A2FD-810366367D01}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration{A1E28287-1A31-4B0F-8D05-AA8C465D3C5A}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\Wow6432Node\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
    [-HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\Wow6432Node\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
      
    :commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.



    Rerun Hitman Pro and attach log. Explain how things are running.
     
  7. lola6905

    lola6905 Private E-2

    Thanks Kestrel!

    I didn't see the "image" piece you mentioned (after "run fix") but everything else went as you described. OTL and HitmanPro logs are attached.

    Behavior has been observed in Chrome browser:
    Upon browsing to a site, I can see items like "best price ninja" loading in the stauts bar. Pop-ins like coupon offerings arrive from FreshApp, occasionally there's a redirect on clicking a link. Pop-ups occur for instance:

    "The page at www.qa-m.com says:
    IF YOU ARE AN INTERNET USER IN NEW YORK
    READ BEFORE CONTINUING
    It appears that your computer has pop-ups ENABLED
    Call 1-855-417-2729 right now for expert help disabling
    pop-ups and scanning your system for potential threats.
    PLEASE FOLLOW THESE INSTRUCTIONS
    Step 1:
    Call 1-855-417-2729 for expert help disabling pop-ups and
    identifying potential security threats.
    OK

    (and more like that ...)

    Thanks in advance.
    Lois
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How do you feel about going into the Windows Registry and deleting the below bolded items? If you're fine about it and you do delete them, rerun Hitman again afterwards (just a scan) and attach new log.


    • HKLM\SOFTWARE\Classes\Interface\{BE89FFB3-7F9C-4A16-B475-98B195A06628}
    • HKU\S-1-5-21-1374018922-2298523808-3989244937-1001\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}
    • HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}

    With regards to google Chrome, I'd like you to back up your bookmarks if you need to before we completely uninstall.

    Uninstall the below using Revo Uninstaller
    • Google Chrome
    • Google Update Helper

    Reboot the machine.

    Now do this (Do NOT reinstall Google Chrome yet!)



    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.



    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  9. lola6905

    lola6905 Private E-2

    Wow Kestrel, you're up early - Good morning!

    I deleted the first 2 entries from the registry, but the third item was not there.
    HKU\S-1-5-21-1374018922-2298523808-3989244937-1001_Classes\Interface was empty.

    HitmanPro log attached.

    I installed and ran Revo Uninstaller. I was only able to uninstall Google Chrome, because the Updater was not listed.

    JRT downloaded and completed. Logs attached.

    MGTools logs attached.

    Chrome has not been reinstalled ... I will await your instruction. :)

    Thanks
    Lois
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Good morning to you too! I'm on UK time. :)

    Google Update Helper <<< Uninstall this as well please. Then reboot. Now reinstall Google Chrome and let me know how it behaves.
     
  11. lola6905

    lola6905 Private E-2

    Google Update Helper is not listed in Revo Uninstaller or in Add/Remove Programs.

    So I can't uninstall it unless there's something I'm missing?

    Thx,
    Lois (in NY) :)
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    It still shows as being installed in the newfiles.log

    Never mind, let's give reinstallation a whirl and let me know how things are...
     
  13. lola6905

    lola6905 Private E-2

    Well that's weird. I am unable to install Google Chrome.

    I used IE to download & install Firefox, to try from that browser too. Firefox is fine, but no-go on trying to install Google Chrome.

    The behavior? NOTHING HAPPENS. I click to download, I accept the agreement & allow Chrome to be set as the default browser, and then it redirects me to "thank you for downloading Chrome" but nothing happens. :(

    Suggestions? Is there a manual installer out there anywhere?

    Thanks
    Lois
     
  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  15. lola6905

    lola6905 Private E-2

    Whew! That shouldn't have been so hard. :)

    I was still unable to run the offline installer but then finally got it to work after following the top answer at
    http://superuser.com/questions/8813...ailed-google-chrome-installer-failed-to-start

    So ... Chrome is installed! It SEEEEEEMS to be doing much better (although I haven't had a chance to browse a whole lot), and no popups yet.

    Awaiting your instructions. :)

    Lois
     
  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is everything still running nicely? :)
     
  17. lola6905

    lola6905 Private E-2

    WORLDS better.

    I've had it sitting by my workstation, every now and then going to different sites ... it's behaving nicely.

    Thank you for all your help and your patience.

    Have a fantastic day

    Lois
     
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    So glad to hear it. :)


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

    7. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds