SafeSear.ch Redux

Hi there. Do you also have the log from Malware Bytes please?

 

Not seeing any malware...

You should try resetting your browser: (And let us know if it makes any difference)


Reset Google Chrome to defaults

 

You're welcome.

SystemLook

Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
Download 32 Bit
Download 64 Bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :regfind
  safesear.ch
  SafeSearch

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

Yes, we're just using this tool to find exactly what is left.

Run the same script please but under regfind:

This time put the word Redux

 

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
• Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Attach the logfile to your next next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Now please download OTL by OldTimer.

• Save it to your desktop.
• Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the text-field.
  
  Code:

  activex
  netsvcs
  drives
  

• Now click the button.
• One report will be created:
  • OTL.txt <-- Will be opened
• Attach OTL.txt to your next message. (How to attach)

 

Re run Adwcleaner. On the Browsers tab or under the Browsers heading, you need to have it remove these:

• 
  For Google Chrome -
  
• [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.safesear.ch/web/?type=ss-ch-ds-ix&q={searchTerms}
• [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN33841904436349287&ctid=CT3309350&UM=2
• [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.conduit.com/Results.aspx?q={searchTerms}&SearchSource=49&CUI=UN33841904436349287&ctid=CT3309350&UM=2
• [C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

Reboot > has the problem gone away?

 

Uninstall Google Chrome with Revo Uninstaller.

Now reinstall and let me know if the problem has gone away.

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)


Has the problem gone away?

 

My apologies, I didn't provide enough instruction.

To enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

 

Is it only Google Chrome where you are having issues?

Forget that now, let's try for a more thorough uninstall of Google Chrome.

All of these components need to be uninstalled: (Using Revo Uninstaller!!)

• Google Chrome
• Google Earth
• Google Update Helper

Now do this (DO NOT reinstall Google Chrome yet)

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Delete these:

• C:\ProgramData\Microsoft\Windows\Start Menu\Google Chrome.lnk
• C:\Program Files (x86)\Google

Reboot the machine ... now re-install Google Chrome and let me know how it behaves.

 

I just read that it's an affiliate of the yahoo search engine...

• Start Google Chrome, click on options icon (Located in very top right side of the browser), click on Settings. You will get a configuration page.
• Under configuration page find a option named as “Open a specific page or set of pages” click on their Set Pages.
• A another window will come up. Here you will appear the bunch of URL’s under “Set pages”. Delete all them and then enter only one which you want to use as your home page.

• In the same configuration page click on Manage search engines button. Delete all the search engines from there, just keep only www.goole.com as your default search Engine.
• Also Click on options (Located in very top right side of the browser), then click on Tools then, click on Extensions.

• You will get a configuration page. which have listed all the installed extensions, Remove Safesear.ch extension & also remove all the unknown / unwanted extensions from there. To remove them, click on remove (recycle bin) icon Google Chrome remove extensions button.

Any luck??

 

Chaslang, what do you think? Is it correct that these are an affiliate of yahoo search engine? :confused

 

I don't agree.

It's junkware that needs to be PROPERLY removed. You cannot keep reinstalling from the same Google Chrome installers that may have included the junk. And you cannot reinstall without first removing all the files, folders, and registry keys related to Google.

And in addition related to this thread, what the heck is the below!!!!!

C:\Users\Dan\Documents\Computers\Browser Hijackers\Safesear.ch Browser Hijacker\MGtools\MGtools\GetLogs.bat

Delete the below folder and do not allow users to do things like this:
C:\Users\Dan\Documents\Computers\Browser Hijackers

Our instructions for where to download tools to and where to run them from, MUST be followed properly to avoid having unexpected/undesirable results!!!

 

I'm still confused. I tried my best to remove this junk and I had the user completely uninstall G.Chrome. Is this user's install file for Chrome dodgy then? :confused

Where do you go Zamorazeke when you download Google Chrome? :confused

 

Okay I will make a proposed fix which will begin by uninstalling protection software to make sure it is not getting in the way. Do not reinstall any protection until requested.

Uninstall the below programs. If you do not find them or they will not uninstall, just keep going. Three of the below items are related to IObit and we want to get rid of all of IObit for now.
Avast Internet Security
Driver Booster 2
IObit Uninstaller
Surfing Protection

Also uninstall any software that you have installed from Google including Chrome and also do not reinstall until requested. Use Internet Explorer for now.

Also if you have problems with Firefox showing SafeSear.ch then uninstall Firefox too but tell me whether you have uninstalled Firefox or not.

Run Malwarebytes and empty your Quarantine folder. You have a lot of stuff saved there that you don't need to keep.





Now right click on OTL.exe and select Run as Administrator

• Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
SRV - [2014/12/12 18:33:34 | 002,633,024 | ---- | M] (IObit) [Auto | Stopped] -- C:\Program Files (x86)\IObit\LiveUpdate\LiveUpdate.exe -- (LiveUpdateSvc)
SRV - [2014/10/21 17:13:42 | 000,107,912 | ---- | M] (Google Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe -- (gupdatem)
SRV - [2014/10/21 17:13:42 | 000,107,912 | ---- | M] (Google Inc.) [Auto | Stopped] -- C:\Program Files (x86)\Google\Update\GoogleUpdate.exe -- (gupdate)
DRV:[B]64bit:[/B] - [2014/11/22 10:44:07 | 001,050,432 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswsnx.sys -- (aswSnx)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,436,624 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\Windows\SysNative\drivers\aswsp.sys -- (aswSP)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,267,632 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\SysNative\drivers\aswVmm.sys -- (aswVmm)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,116,728 | ---- | M] (AVAST Software) [Kernel | Auto | Stopped] -- C:\Windows\SysNative\drivers\aswstm.sys -- (aswStm)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,083,280 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\aswmonflt.sys -- (aswMonFlt)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,065,776 | ---- | M] () [Kernel | Boot | Running] -- C:\windows\SysNative\drivers\aswRvrt.sys -- (aswRvrt)
DRV:[B]64bit:[/B] - [2014/11/21 14:55:00 | 000,029,208 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\SysNative\drivers\aswHwid.sys -- (aswHwid)
DRV:[B]64bit:[/B] - [2014/11/21 14:54:59 | 000,093,568 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswRdr2.sys -- (aswRdr)
DRV:[B]64bit:[/B] - [2014/11/21 14:54:53 | 000,028,184 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\aswKbd.sys -- (aswKbd)
DRV:[B]64bit:[/B] - [2014/11/21 14:54:50 | 000,449,936 | ---- | M] (AVAST Software) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\aswNdisFlt.sys -- (aswNdisFlt)
FF - prefs.js..extensions.enabledAddons: iobitascsurfingprotection%40iobit.com:2.0
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/11/21 14:55:01 | 000,000,000 | ---D | M]
[2014/12/28 14:07:47 | 000,000,000 | ---D | M] (Advanced SystemCare Surfing Protection) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\iobitascsurfingprotection@iobit.com
[2014/06/25 13:29:54 | 000,005,830 | ---- | M] () -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\searchplugins\bing-avast.xml
[2014/11/21 14:55:01 | 000,000,000 | ---D | M] ("Avast Online Security") -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
CHR - default_search_provider:  (Enabled)
CHR - default_search_provider: search_url = 
CHR - default_search_provider: suggest_url = 
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\PepperFlash\pepflashplayer.dll
CHR - plugin: Native Client (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files (x86)\Google\Chrome\Application\39.0.2171.95\pdf.dll
CHR - plugin: Advanced SystemCare 6 (Enabled) = C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nfengeggddojhakldhlpjdlddgkkjkddabcabcabcabcabcabcabcabcabcabcabcabc\1.0.0_0\Plugin/ASCPlugin_Protect.dll
CHR - plugin: CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0 (Enabled) = C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\Application\plugins\NPcol400.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager  (Enabled) = C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Catalina Savings Printer (Enabled) = C:\DOCUME~1\Dan\APPLIC~1\CATALI~2\NPBCSK~1.DLL
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Dan\Local Settings\Application Data\Google\Update\1.3.21.145\npGoogleUpdate3.dll
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbmegnmpleoagolcnjnejdacakedpcgd\2.0.0_0\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn\0.1.1.5023_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cklcfohlddckjakiohbpjbcfhbfboopl\1.0.6.2_0\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\fkepacicchenbjecpbpbclokcabebhah\1.4.14_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghnomdcacenbmilgjigehppbamfndblo\2.4.2_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki\10.0.2502.149_0\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd\3.1.77_0\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\laankejkbhbdhmipfmgcngdelahlfoji\1.5.7_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\neebplgakaahbhdphmkckjjcegoiijjo\1.55_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.6.1_1\
CHR - Extension: No name found = C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnlccmojcmeohlpggmfnbbiapkmbliob\7.9.9.2_1\
O2:[B]64bit:[/B] - BHO: (ExplorerWnd Helper) - {10921475-03CE-4E04-90CE-E2E7EF20C814} - C:\Program Files (x86)\IObit\IObit Uninstaller\UninstallExplorer64.dll (IObit)
O2:[B]64bit:[/B] - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
O2 - BHO: (avast! Online Security) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Advanced SystemCare Surfing Protection) - {BA0C978D-D909-49B6-AFE2-8BDE245DC7E6} - C:\Program Files (x86)\IObit\Surfing Protection\BrowerProtect\ASCPlugin_Protection.dll (IObit)
O4 - HKLM..\Run: [AvastUI.exe] C:\Program Files\AVAST Software\Avast\AvastUI.exe (AVAST Software)
O4 - HKLM..\RunOnce: [20150107] C:\Program Files\AVAST Software\Avast\setup\emupdate\a936a8c5-f009-4989-90c3-ef56dca93100.exe (AVAST Software)
[2015/01/11 11:56:05 | 000,000,000 | ---D | C] -- C:\Users\Dan\Desktop\Safesear.ch redux 1-11-15
[2014/12/28 13:05:47 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\IObit
 
:Services
0009211402342323mcinstcleanup
AdvancedSystemCareService7
ASCAntivirusSrv
 
:Files
C:\Program Files (x86)\Google
C:\Users\Dan\AppData\Local\Google\Chrome
C:\Documents and Settings\Dan\Local Settings\Application Data\Google
C:\Program Files\AVAST Software
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AVAST Software
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\IObit Uninstaller
C:\Program Files (x86)\IObit
C:\ProgramData\IObit
C:\Users\Dan\AppData\IObit
C:\Program Files (x86)\Common Files\IObit
C:\windows\avastSS.scr
C:\windows\SysNative\drivers\aswHwid.sys
C:\windows\SysNative\drivers\aswKbd.sys
C:\windows\SysNative\drivers\aswmonflt.sys
C:\windows\SysNative\drivers\aswNdisFlt.sys
C:\windows\SysNative\drivers\aswRdr2.sys
C:\windows\SysNative\drivers\aswRvrt.sys
C:\windows\SysNative\drivers\aswsnx.sys
C:\windows\SysNative\drivers\aswsp.sys
C:\windows\SysNative\drivers\aswstm.sys
C:\windows\SysNative\drivers\aswVmm.sys
C:\Users\Dan\Documents\Computers\Browser Hijackers\Safesear.ch Browser Hijacker\MGtools
C:\Users\Dan\Documents\Computers\Browse Hijackers
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-725345543-1004Core1cef03c3d3c8fea.job
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-220523388-299502267-725345543-1004UA.job
C:\windows\system32\tasks\ASC7U_SkipUac_Dan
C:\windows\system32\tasks\ASC7_PerformanceMonitor
C:\windows\system32\tasks\ASC7_SkipUac_Dan
C:\windows\system32\tasks\avast! Emergency Update
C:\windows\system32\tasks\Driver Booster SkipUAC (Dan)
C:\windows\TEMP\*.*
C:\Users\Dan\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{77868549-4754-430E-8BD9-09BD9E1B15F5}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A09AC9CF-E40B-416C-B60E-0B9175C4AD75}]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Again do not reinstall Avast, IOBit, or Chrome yet.

 

Just do what was requested in my last message now.

 

You're welcome.

Okay then let's first run another fix to make sure we cleanup any remaining items from Firefox too before we do anything else.


Right-click on OTL.exe and select Run as Administrator

• Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
SRV - [2014/12/04 13:46:57 | 000,114,800 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
FF - prefs.js..browser.search.defaultengine: "Microsoft (Bing)"
FF - prefs.js..browser.search.defaultenginename: "Bing"
FF - prefs.js..browser.search.defaultthis.engineName: "Microsoft (Bing)"
FF - prefs.js..browser.search.defaulturl: "[URL]http://www.bing.com/search[/URL]"
FF - prefs.js..browser.search.order.1: "Microsoft (Bing)"
FF - prefs.js..browser.search.selectedEngine: "Bing"
FF - prefs.js..browser.search.useDBForOrder: "false"
FF - prefs.js..browser.startup.homepage: "[URL]http://dealnews.com/|https://www.gmail.com/intl/en/mail/help/about.html#inbox|https://login.yahoo.com/config/mail?.intl=us&.done=https%3A%2F%2Fus%2Dmg6.mail.yahoo.com%3A443%2Fneo%2Flaunch%3F.rand%3D9v4s8k9rajhe1|https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&ct=1420477521&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-us&cbcxt=mai|http://www.msn.com/|https://groups.yahoo.com/neo/groups/FBAForum/info[/URL]"
FF - prefs.js..extensions.enabledAddons: netvideohunter%40netvideohunter.com:1.16
FF - prefs.js..extensions.enabledAddons: amptra%40keepa.com:1.45
FF - prefs.js..extensions.enabledAddons: %7BD9A7CBEC-DE1A-444f-A092-844461596C4D%7D:7.5
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:10.0.2502.149
FF - prefs.js..extensions.enabledAddons: iobitascsurfingprotection%40iobit.com:2.0
FF - prefs.js..extensions.enabledAddons: %7Bb9db16a4-6edc-47ec-a1f4-b86292ed211d%7D:4.9.24
FF - prefs.js..extensions.enabledAddons: %7Bd91a2be6-3b56-4dfb-97f5-5e48fe3ed473%7D:1.0
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:34.0
FF - user.js - File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF64_16_0_0_235.dll File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@lastpass.com/NPLastPass: C:\Program Files (x86)\LastPass\nplastpass64.dll (LastPass)
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\SysWOW64\Macromed\Flash\NPSWF32_16_0_0_235.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=:  File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@dymo.com/DymoLabelFramework: C:\Program Files (x86)\DYMO\DYMO Label Software\Framework\npDYMOLabelFramework.dll ( Sanford L.P.)
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI ipt;version=3.5.29: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@intel-webapi.intel.com/Intel WebAPI updater: C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
FF - HKLM\Software\MozillaPlugins\@lastpass.com/NPLastPass: C:\Program Files (x86)\LastPass\nplastpass.dll (LastPass)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files (x86)\Microsoft Silverlight\5.1.31211.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=16.4.3528.0331: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@siber.com/RoboForm: C:\Program Files (x86)\Siber Systems\AI RoboForm\chrome\plugin\np-rf-plugin.dll (Siber Systems Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.1.5: C:\Program Files (x86)\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@citrixonline.com/appdetectorplugin: C:\Users\Dan\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2014/11/21 14:55:01 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2014/12/06 11:58:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 34.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 34.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files (x86)\Siber Systems\AI RoboForm\Firefox [2014/12/06 11:58:53 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 34.0\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components
FF - HKEY_CURRENT_USER\software\mozilla\Mozilla Firefox 34.0\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins
[2014/04/10 21:10:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dan\AppData\Roaming\Mozilla\Extensions
[2015/01/02 20:40:02 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions
[2015/01/02 17:21:47 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2015/01/02 20:40:02 | 000,000,000 | ---D | M] (CSHelper) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\{d91a2be6-3b56-4dfb-97f5-5e48fe3ed473}
[2014/10/27 10:05:18 | 000,000,000 | ---D | M] ("Default Full Zoom Level") -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\{D9A7CBEC-DE1A-444f-A092-844461596C4D}
[2014/12/28 14:07:47 | 000,000,000 | ---D | M] (Advanced SystemCare Surfing Protection) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\iobitascsurfingprotection@iobit.com
[2014/07/29 08:25:29 | 000,000,000 | ---D | M] ("NetVideoHunter") -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\netvideohunter@netvideohunter.com
[2014/10/30 09:16:42 | 000,000,000 | ---D | M] (LastPass) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\support@lastpass.com
[2014/10/15 13:23:26 | 000,017,738 | ---- | M] () (No name found) -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\extensions\amptra@keepa.com.xpi
[2014/06/25 13:29:54 | 000,005,830 | ---- | M] () -- C:\Users\Dan\AppData\Roaming\Mozilla\Firefox\Profiles\p3k0nb93.default-1383247549906\searchplugins\bing-avast.xml
[2014/12/04 13:46:53 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions
[2014/12/04 13:46:58 | 000,000,000 | ---D | M] (Default) -- C:\Program Files (x86)\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

:Files
C:\Program Files (x86)\Mozilla Firefox
C:\Users\Dan\AppData\Roaming\Mozilla

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IObit Surfing Protection_is1]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]

• Now click the button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now! I know we have no protection still and that Chrome and Firefox have not been reinstalled. I just want to make sure there are no other issues right now. For example is Internet Explorer behaving properly.

 

Okay looks good.

Now use the below link to download/install Google. Please use this link and nothing else.

http://www.majorgeeks.com/files/details/google_chrome_26_1410_64_stable.html


DO NOT install anything else at all yet. No addons or extensions....etc. And not other software on your PC. Just bare bones Chrome. And tell us how it is working.

 

There is no snapshot showing your search engine being set to Safesearch.

Also note that now you are saying Safesearch which is not the same thing as the in the title of your thread which is SafeSear.ch


You need to run FRST as requested by Kestrel13! back in message # 21. Please follow the instructions properly to figure out the drive letter of your USB stick. It not necessarily e: You need to run notepad as requested and then find your drive. The instructions said

You probably have a GroupPolicy restriction applied to Chrome that needs to be removed.

 

Okay if you have Advanced Systemcare from IObit still installed then uninstall it now because the below will break it.

Also is the below something you knowingly installed?

Tific System Service; C:\Program Files (x86)\Common Files\Tific\Tific Client G1\Tific System Service.exe [1698896 2014-06-02] (Tific AB)



Download this >> View attachment fixlist.txt


Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows and continue with the below.


Please download AdwCleaner by Xplode and save to your Desktop.

• Double click on AdwCleaner.exe to run the tool.
  Vista/Windows 7/8 users right-click and select Run As Administrator
• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Attach the logfile to your next next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• Fixlog.txt
• The AdwClearner log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome.

Okay now run AdwCleaner again and have it fix/delete the below two items if they still show.

-\\ Google Chrome v39.0.2171.99
[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Dan\AppData\Local\Google\Chrome\User Data\Default\Web data] - Found [Search Provider] : hxxp://www.safesear.ch/web/?type=ss-ch-ds-ix&q={searchTerms}


Now rerun a scan with FRST ( like from message # 21 ) and attach a new log from FRST. I want to make sure the Chrome Policy was truly deleted.

 

Looks fine. Is Chrome working now?

 

Great news!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others) and running MGclean.bat did not remove them, you can delete these files now.
8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!