popup ads

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by edpolakoff, Feb 17, 2015.

  1. edpolakoff

    edpolakoff Private First Class

    Hey guys,

    I cleaned this off for a friend a few months back and she clicked on something she shouldn't have. Not as bad as last time, at least I can get online this go round. Getting pop-up ads and some browser redirects. It doesn't seem as bad after running the scans, but I'd appreciate if someone would take a look at the logs for me.

    Thanks!

    Ed
     

    Attached Files:

    edpolakoff, Feb 17, 2015
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Avast will always get in the way of fixing problems like this so the first thing you need to do is uninstall it. We have found many time that disabling it does not work well enough. So uninstall it now before continuing.



    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
 
:Files
C:\Program Files (x86)\Settings Manager
C:\Users\Meghan\Desktop\2014 Security
C:\Program Files (x86)\GtiesWive
C:\WINDOWS\TEMP\*.*
C:\Users\Meghan\AppData\Local\Temp\*.*
 
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}]
[-HKEY_USERS\S-1-5-21-3213060532-1351677999-193008828-1002\Software\Linkey]
[-HKEY_USERS\S-1-5-21-3213060532-1351677999-193008828-1002\Software\Microsoft\Internet Explorer\Approved Extensions\{54739D49-AC03-4C57-9264-C5195596B3A1}]
[-HKEY_USERS\S-1-5-21-3213060532-1351677999-193008828-1002\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2476}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{A37F10DF-AEFE-4ABB-AF57-C9F86E457AC9}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings] 
"ProxyServer"=-
[HKEY_USERS\S-1-5-21-3213060532-1351677999-193008828-1002\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000000
"ProxyOverride"=-
"ProxyServer"=-
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\ManualProxies]
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
"DefaultConnectionSettings"=-
"SavedLegacySettings"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:0000000
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    Last edited: Feb 20, 2015
    chaslang, Feb 18, 2015
    #2
  3. edpolakoff

    edpolakoff Private First Class

    Well sir Chaslang, seems you were the last one to help me with this laptop a few months back. I hope the world finds you well. Logs are enclosed. I don't seem to be getting as many ads or pop-ups as when I first started. Here's the logs you asked for.

    Ed
     

    Attached Files:

    edpolakoff, Feb 18, 2015
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Per your logs it appears that you never uninstall Avast as requested.


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.
     
    chaslang, Feb 20, 2015
    #4
  5. edpolakoff

    edpolakoff Private First Class

    OK. I did get a success message on your registry edit. I'm not sure what happened with Avast. I ran the uninstall and it no longer appears in the add/remove programs list, but you are correct, it is still here and running. That was the first thing I did before I ran the scans you requested. I didn't think to look and make sure it was no longer running...

    Should I try and reinstall and uninstall again?

    Ed
     
    edpolakoff, Feb 20, 2015
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    See if the below can help you to remove Avast

    http://avast-removal-tool.com/

    Make sure that you reboot afterwards and then double check to make sure it really worked.
     
    chaslang, Feb 22, 2015
    #6
  7. edpolakoff

    edpolakoff Private First Class

    OK. I ran the unistaller and I don't see any signs of Avast running in task manager any longer. Boy, what a pain it is to do simple stuff in Win8. seems like a million things to do just to get to safe mode!

    What would you like me to do next?

    I appreciate the help and patience!

    Ed
     
    edpolakoff, Feb 22, 2015
    #7
  8. edpolakoff

    edpolakoff Private First Class

    Hey,

    I know you're busy, but I wanted to give you a heads up that this mat play out over a few weeks. I'm leaving town Thursday night for a while and won't be able to do much with the computer that's having issues. If you leave me things to do and I don't get to them before I leave Thursday night, I'll attend to them when I get back. Just didn't want you to think I was ignoring you if I don't respond. :):):):):)
     
    edpolakoff, Feb 23, 2015
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay is everything still working okay? If yes then we can complete the below instructions.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
    3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
    4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
    5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    8. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    9. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
      • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore
      • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
      • Then we want you to Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Feb 24, 2015
    #9
  10. edpolakoff

    edpolakoff Private First Class

    The last thing you asked me to do was remove Avast, which I did with the tool you sent. I left you a message that it was done and hadn't heard back, thought you might have gotten caught up with something else and weren't able to respond so I left that message last night because I soon won't be able to. I've been waiting for instructions on what you wanted me to do after that. It still has issues...

    It is still ok if we don't get this finished in the next few days. It will be here when I get back. I was a little worried I hadn't heard back from you. Last time we worked together you were always so prompt and I was concerned.
     
    edpolakoff, Feb 24, 2015
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I think you may have missed my last message with final instructions.
     
    chaslang, Feb 24, 2015
    #11
  12. edpolakoff

    edpolakoff Private First Class

    No, I didn't miss your final instructions. I'm just not ready for them. The machine still has issues. I ran scans and you found that Avast was still running and sent me a tool to remove it. Since then we haven't taken any other steps. Would you like me to rerun the scans now that Avast is off the machine or is there something you can tell from the logs before I removed Avast that you'd like me to do?
     
    edpolakoff, Feb 24, 2015
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You already told me Avast was removed and I gave you the next steps which are the final instructions which will remove all the tools we no longer need and get you re-protected. We are finished other than that unless you are having problems and you did not tell me that you had anty specific problems.
     
    chaslang, Feb 24, 2015
    #13
  14. edpolakoff

    edpolakoff Private First Class

    My apologies. After the comment you made about Avast making things difficult to fix things and having me remove it, I thought you might want to check logs again. I guess that was my misunderstanding.

    As always, I appreciate your help. The machine does seem to be behaving now, I was just anticipating your wanting to check again.

    The only weird thing I notice is that almost every ad that shows up on a web page has a Victoria's Secret ad on it. Is there anything to do about that or not? It doesn't seem to be interfering with anything, just a constant theme, even here on the forum page.

    Ed
     
    Last edited by a moderator: Feb 25, 2015
    edpolakoff, Feb 24, 2015
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    With which browser?
     
    chaslang, Feb 25, 2015
    #15
  16. edpolakoff

    edpolakoff Private First Class

    Chrome.

    I don't remember installing Spybot on this machine either, though the young lady it belongs to may have. I have never seen it come up and auto scan the entire time I've been working on it...about a week now. I opened up the screen this morning and Spybot Search and Destroy had completed a scan. I just tried to open it manually and it said there were compatibility issues and to head to the Microsoft website to look for a solution.

    Should I just uninstall?
     
    edpolakoff, Feb 25, 2015
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try running the below and see if it helps:

    Reset Chrome to Defaults


    Yes
     
    chaslang, Feb 25, 2015
    #17
  18. edpolakoff

    edpolakoff Private First Class

    Finally got back from vacation and was able to finish up this machine. Resetting Chrome seemed to take care of the rest of the problems. Thanks again for all your help. Hope you enjoy the warmer weather! :):)
     
    edpolakoff, Mar 16, 2015
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Glad to hear it is working properly now.
     
    chaslang, Mar 16, 2015
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds