Continuous Pop-ups And Js Run (page Is Reloading)

ONEEYEMAN · Nov 12, 2016

Hi,
Hopefully you guys will help me once again.

I got a laptop from my mother in-law and it got some infection. It shows the pop-ups in Chrome.

Attached please find the logs from R&R.

Thank you.

ONEEYEMAN · Nov 12, 2016

And here is the MB log...

Kestrel13! · Nov 13, 2016

Re run Hitman Pro, enable/activate the free trial and allow it to remove all that it finds.

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these detections:

[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{16F7ED3A-ECD8-46C7-8FD3-E4A8C79884D7} (C:\Program Files (x86)\Free Games 111\ButtonSite64.dll) -> Found

[PUP] (X64) HKEY_CLASSES_ROOT\CLSID\{C099CD7B-A94C-4229-B6F7-76D3494C88D8} (C:\Program Files (x86)\Free Games 111\ScriptHost64.dll) -> Found

[PUP] (X64) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\Conduit -> Found

[PUP] (X64) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\ilivid -> Found

[PUP] (X86) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\Conduit -> Found

[PUP] (X86) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\ilivid -> Found

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.mumbojumbo.iplay.com/?o=shp -> Found

[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3909067905-1991131283-1345731357-1000\Software\Microsoft\Internet Explorer\Main | Start Page : http://start.mumbojumbo.iplay.com/?o=shp -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {234C930D-4DB9-4701-AF04-0D907E100CB4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\Marina\AppData\Local\iLivid\iLivid.exe|Name=iLivid| [x] -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C60A59-77CB-43B0-829D-DE0D5C9F3040} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|App=C:\Users\Marina\AppData\Local\iLivid\iLivid.exe|Name=iLivid| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6F30DCEF-7B0E-482B-9A59-0AD2C28A1EEB} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\ZulaGamesSetup|Name=ZulaGamesSetup (in)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {12FCF09D-4067-4E78-9FF9-1809DFEED5DC} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\ZulaGamesSetup|Name=ZulaGamesSetup (out)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F57235E4-43AF-4530-8591-9530CA40E489} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\SpeedanAlysisSetup|Name=SpeedanAlysisSetup (in)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AC7F0591-F18F-473A-ACCB-9B65E1FC6A06} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\SpeedanAlysisSetup|Name=SpeedanAlysisSetup (out)| [x] -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {234C930D-4DB9-4701-AF04-0D907E100CB4} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|App=C:\Users\Marina\AppData\Local\iLivid\iLivid.exe|Name=iLivid| [x] -> Found

[PUP] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {28C60A59-77CB-43B0-829D-DE0D5C9F3040} : v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|App=C:\Users\Marina\AppData\Local\iLivid\iLivid.exe|Name=iLivid| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {6F30DCEF-7B0E-482B-9A59-0AD2C28A1EEB} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\ZulaGamesSetup|Name=ZulaGamesSetup (in)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {12FCF09D-4067-4E78-9FF9-1809DFEED5DC} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\ZulaGamesSetup|Name=ZulaGamesSetup (out)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {F57235E4-43AF-4530-8591-9530CA40E489} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\SpeedanAlysisSetup|Name=SpeedanAlysisSetup (in)| [x] -> Found

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {AC7F0591-F18F-473A-ACCB-9B65E1FC6A06} : v2.10|Action=Allow|Active=TRUE|Dir=Out|App=C:\Users\Marina\AppData\Local\Temp\ibtmpd366498\SpeedanAlysisSetup|Name=SpeedanAlysisSetup (out)| [x] -> Found

Place a checkmark next to each of these items, leave the others unchecked.
Now press the Delete button.

Same for these entries on the Files tab:

[PUP][Folder] C:\Program Files (x86)\GamesBar -> Found

[PUP][File] C:\Program Files (x86)\Mozilla Firefox\browser\nsprotector.js -> Found

[PUP][File] C:\Users\Marina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk [LNK@] C:\Users\Marina\AppData\Local\iLivid\iLivid.exe -> Found

[PUP][File] C:\Users\Marina\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\iLivid.lnk [LNK@] C:\Users\Marina\AppData\Local\iLivid\iLivid.exe -> Found

[PUP][Folder] C:\Users\Marina\AppData\Roaming\PerformerSoft -> Found

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.

Please download Junkware Removal Tool to your desktop.

Shut down your protection software now to avoid potential conflicts.

Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Attach JRT.txt to your next message.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
Let me know how things are running!

You have uploaded an incorrect log from Malware Bytes. Please check the instructions again carefully on how to retrieve a proper log. Then upload it.

ONEEYEMAN · Nov 13, 2016

Hi, Kestrel31!,
I did remove everything from Hitman Pro.
But then when I re-run RogueKiller it didn't find anything. I hope its normal.

I will now continue with your instructions.

Thank you.

ONEEYEMAN · Nov 13, 2016

Ok, here are the requested logs.
Since RogueKiller didn't find anything at all, there is no log.

Thank you.

ONEEYEMAN · Nov 13, 2016

About MalwareBytes - check the screenshot.
When I select the log and/or double-click it the Notepad window will open which will contain XML text.

Thank you.

dr.moriarty · Nov 13, 2016

Refer to your screen shot -> left-click the top & most recent Scan Log > click on the Export and select "Text file (*.txt)" > save to your Desktop for easy retrieval.

ONEEYEMAN · Nov 14, 2016

OK, found it.
However it is surprising that the other log is not exportable...

Logs are attached.

Thx.

dr.moriarty · Nov 14, 2016

ONEEYEMAN said: ↑

However it is surprising that the other log is not exportable...
Click to expand...

It was, and still is - just don't put a tick in the box which denotes "Selected for deletion" on that GUI.

Kestrel13! · Nov 17, 2016

Will be addressing this later on this evening. Sorry for the delay.

Kestrel13! · Nov 17, 2016

So when you rescan with Malware Bytes, does it find anything else? If so let it remove those entries/entry.

Do this once more please: Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

ONEEYEMAN · Nov 19, 2016

kestrel13!,
First of all, sorry for the delay. I left the window open and was looking for an E-mail notification. ;-)

Now, attached please find the requested logs.
I re-run the MalwareBytes, delete all logs from previous scans and then run the scan again. It found 2 PUPS and the log is attached.
Then I re-run the GetLogs.bat and the log is also attached.

Thank you.

Kestrel13! · Nov 20, 2016

Hi there

Now when you rescan with Malware Bytes, does it find anything, or is it clear this time?

ONEEYEMAN · Nov 20, 2016

Kestrel13!,
Yes, it did find 2 PUPs, which I removed. I did say this in the reply. ;-)

Is there anything left?

Thank you.

Kestrel13! · Nov 20, 2016

Yes but what I am saying is... does it find anything when you scan NOW?

ONEEYEMAN · Nov 20, 2016

Kestrel13!,
Nothing. I did run the MB scan and nothing was found.
But Chrome still does not run properly. When I opened the page and click on the link, it opens another tab with the same page and the old tab displays "Website Blocked By TrendMicro".

Does this sounds familiar?

Thank you.

Kestrel13! · Nov 21, 2016

When I opened the page and click on the link, it opens another tab with the same page and the old tab displays "Website Blocked By TrendMicro".
Click to expand...

When you open what page and click what link?

ONEEYEMAN · Nov 21, 2016

Kestrel13!,
Here are the steps I used:
1. Open pageA (I used ru.uefa.com). The page will be open in the Tab1.
2. On the pageA, there is a link to another page (pageB). Click it.
3. Tab2 will be open with the content of pageA. Tab1 will contain an error which read "Website Blocked by TrendMicro". PageB will not be open.

Hopefully this is clearer what is happening...

Thank you.

dr.moriarty · Nov 21, 2016

Please answer the following: Do you have the Trend Micro Toolbar browser extension for Chrome enabled? What is the website's name that is being blocked? Have you checked the site's URL using VirusTotal's URL Scanner?

ONEEYEMAN · Nov 22, 2016

dr.moriarty,
1. TM toolbar is not enabled.
2. For testing I used www.uefa.com.
a. Start Chrome.
b. In the Address Bar enter the site address. In the TabA page will be displayed.
c. Click any link. TabA will contain error. TabB will open with the page of www.uefa.com (same as entered in the empty browser).
3. No need to. This is publicly available URL.

Thank you.

dr.moriarty · Nov 23, 2016

Please download ZHPCleaner to your desktop.

Close all applications (including your web browsers and antivirus)

Double-click on ZHPCleaner to run the tool.

If you are using Windows Vista, 7/8/10; instead of double-clicking, right-mouse click ZHPCleaner and select "Run as Administrator".

Please click the "J'accepte/I agree" button.

First press the "Scanner" button. Be patient, the scan takes longer than 5mins.

Do NOT fix/repair anything yet! Please upload that logfile with your next reply.

ONEEYEMAN · Nov 24, 2016

dr.moriarty,
Log attached.

Thx.

dr.moriarty · Nov 24, 2016

You're welcome.

Re-run ZHPCleaner per previous instructions

After the scan has completed - press the Repair button.

Browsers will automatically shut down.

A logfile will automatically open after the scan has finished.

Please upload that logfile with your next reply.

Tell me how the PC is running now.

ONEEYEMAN · Nov 25, 2016

It looks like ZHPCleaner fixed it. There is no more issues with Chrome.
Now its time to finalize cleaning, right?

dr.moriarty · Nov 25, 2016

Please upload the requested ZHPCleaner.txt log.

ONEEYEMAN · Nov 26, 2016

Uploaded.

Thx.

dr.moriarty · Nov 26, 2016

If you are not having any other malware problems, it is time to do our final steps:

We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase it, it provide no protection. It do not use any significant amount of resources ( except a little disk space ) until you run a scan.

Go back to step 6 of the READ ME and re-enable your Disk Emulation software with Defogger if you had disabled it.

Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.

If running Vista, Win 7/8/10 - it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.

Go to add/remove programs and uninstall HijackThis.

Go to the C:\MGtools folder and find the MGclean.bat file. Double-click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.

If you are running Win 7/8/10, Vista, Windows XP or Windows ME, do the below:

Refer to the cleaning procedures pointed to by step 6 of the READ ME
for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work through the below link:

How to Protect yourself from malware!

Safe surfing! http://i268.photobucket.com/albums/jj5/drmoriarty/Emoticons/char145.gif

Continuous Pop-ups And Js Run (page Is Reloading)

ONEEYEMAN Corporal

Attached Files:

ONEEYEMAN Corporal

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ONEEYEMAN Corporal

ONEEYEMAN Corporal

Attached Files:

ONEEYEMAN Corporal

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

ONEEYEMAN Corporal

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ONEEYEMAN Corporal

Attached Files:

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ONEEYEMAN Corporal

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ONEEYEMAN Corporal

Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

ONEEYEMAN Corporal

dr.moriarty Malware Super Sleuth Staff Member

ONEEYEMAN Corporal

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

ONEEYEMAN Corporal

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member

ONEEYEMAN Corporal

dr.moriarty Malware Super Sleuth Staff Member

ONEEYEMAN Corporal

Attached Files:

dr.moriarty Malware Super Sleuth Staff Member