Removing Zedo?

Discussion in 'Malware Help (A Specialist Will Reply)' started by robbyblade, May 30, 2013.

  1. robbyblade

    robbyblade Private E-2

    For the past couple of days, I have been getting ads that pop up at the bottom of my screen from yads.zedo.com and lax1.ib.adnxs.com among others, most likely. I have followed all steps asked to do before posting and cannot seem to get rid of this annoying thing. I have primarily been using Google Chrome, but sense this happened I have browsed around a little with IE and it hasn't plagued me yet with that browser. I've included my logs. Help?
     

    Attached Files:

    robbyblade, May 30, 2013
    #1
  2. robbyblade

    robbyblade Private E-2

    After not having the ads come up while using IE, I uninstalled and re-installed Google Chrome and it seems to be working without the annoying pop-ups. I'm assuming it was just a bug in Chrome? I would still like to find some potential answers if someone could dig in to this a little bit. I ran scans with Malwarebytes and AVG and both checked out clean.
     
    robbyblade, May 30, 2013
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!
    It is a common problem with Chrome and Firefox having addons hooked into them. Firefox has a simple method to reset to defaults. Chrome on the other hand is not designed to well and many times requires an uninstall, delete of the Chrome folders and then a reinstall.

    You have a bunch more to do.


    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.foxtab.com/?s=0&chnl=...N0C0CzutN0D0TzutBtDtCtCtDyEtCyC&cr=2126451115
    R3 - URLSearchHook: (no name) - - (no file)
    R3 - URLSearchHook: (no name) - {57dc49cc-5a9f-446c-bcf8-65c52b7060a6} - C:\Program Files (x86)\VideoScavenger_1e\bar\1.bin\1eSrcAs.dll
    R3 - URLSearchHook: WebfinnaCoupons Toolbar - {82bd588c-acd8-417d-a32e-ef441492b9f6} - C:\Program Files (x86)\WebfinnaCoupons\prxtbWebf.dll
    O2 - BHO: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
    O2 - BHO: WebfinnaCoupons - {82bd588c-acd8-417d-a32e-ef441492b9f6} - C:\Program Files (x86)\WebfinnaCoupons\prxtbWebf.dll
    O2 - BHO: DataMngr - {B939CF93-F2CB-443d-956C-DC523D85C9DB} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\BROWSE~1.DLL
    O2 - BHO: Wincore Mediabar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
    O2 - BHO: Toolbar BHO - {c6549209-1ff1-4a5c-a815-981f64f34b19} - C:\PROGRA~2\VIDEOS~2\bar\1.bin\1ebar.dll
    O2 - BHO: Search Assistant BHO - {d047fe10-dfe2-45cf-9fbf-966b9e64920f} - C:\Program Files (x86)\VideoScavenger_1e\bar\1.bin\1eSrcAs.dll
    O3 - Toolbar: VideoScavenger - {acf7da4c-eeb2-484a-a3a1-303d4054d50c} - C:\Program Files (x86)\VideoScavenger_1e\bar\1.bin\1ebar.dll
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: (no name) - {9D425283-D487-4337-BAB6-AB8354A81457} - (no file)
    O3 - Toolbar: Wincore Mediabar - {c2d64ff7-0ab8-4263-89c9-ea3b0f8f050c} - C:\PROGRA~2\BEARSH~1\MediaBar\Datamngr\ToolBar\wincorebsdtx.dll
    O3 - Toolbar: WebfinnaCoupons Toolbar - {82bd588c-acd8-417d-a32e-ef441492b9f6} - C:\Program Files (x86)\WebfinnaCoupons\prxtbWebf.dll
    O3 - Toolbar: Wincore Mediabar - {28387537-e3f9-4ed7-860c-11e69af4a8a0} - C:\PROGRA~2\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
    O3 - Toolbar: (no name) - {95B7759C-8C7F-4BF1-B163-73684A933233} - (no file)
    O4 - HKLM\..\Run: [VideoScavenger_1e Browser Plugin Loader] C:\PROGRA~2\VIDEOS~2\bar\1.bin\1ebrmon.exe
    O4 - HKLM\..\Run: [autoauto] c.bat

    After clicking Fix, exit HJT.

    Now uninstall the below programs:
    VideoScavenger
    WebfinnaCoupons Toolbar
    Wincore MediaBar


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
:Services
VideoScavenger_1eService
 
:Files
C:\Program Files (x86)\BearShare Applications
C:\Program Files (x86)\CouponAlert_2pEI
C:\Program Files (x86)\VideoScavenger_1e
C:\Program Files (x86)\WebfinnaCoupons
C:\PROGRA~2\IMESHA~1
C:\Users\Kit n Kaboodle\AppData\LocalLow\DataMngr
C:\Users\Kit n Kaboodle\AppData\LocalLow\DataMngr\{7CA1F051-A4FB-4143-B263-02B41E571EED}
C:\Users\Kit n Kaboodle\AppData\Local\Temp\*.*
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BrowserConnection.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\DnsBHO.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowserConnection.Loader]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DnsBHO.BHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\DnsBHO.BHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\BrowserConnection.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\DnsBHO.DLL]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{AC662AF2-4601-4A68-84DF-A3FE83F1A5F9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{D97A8234-F2A2-4AD4-91D5-FECDB2C553AF}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\BrowserConnection.Loader]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\DnsBHO.BHO]
[-HKEY_LOCAL_MACHINE\SOFTWARE\DataMngr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
[-HKEY_USERS\S-1-5-21-1842775309-3437224328-2766347926-1000\Software\DataMngr]
[-HKEY_USERS\S-1-5-21-1842775309-3437224328-2766347926-1000\Software\DataMngr_Toolbar]
[-HKEY_USERS\S-1-5-21-1842775309-3437224328-2766347926-1000\Software\Softonic]
 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"VideoScavenger_1e Browser Plugin Loader"=-
"autoauto"=-
[HKEY_LOCAL_MACHINE\software\Wow6432Node\microsoft\windows\currentVersion\Run]
"VideoScavenger_1e Browser Plugin Loader"=-
"autoauto"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{194de045-cc5e-4840-b031-1ca9db98919d}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{36668FFD-7809-43FB-A609-999C5A7AB5FE}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{36A7593F-2A71-458C-A463-7DABD74FFB97}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{194de045-cc5e-4840-b031-1ca9db98919d}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36668FFD-7809-43FB-A609-999C5A7AB5FE}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{36A7593F-2A71-458C-A463-7DABD74FFB97}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{8CFCE801-EBC1-4A4F-B441-C99D41CEF8B3}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD21}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD22}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CC4012B2-9886-4121-932B-14C9F43BF247}]
:Commands
[purity]
[EmptyTemp]
[start explorer]

[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.


    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Jun 1, 2013
    #3
  4. robbyblade

    robbyblade Private E-2

    When attempting to remove VideoScanner, I recieve a RunDLL error saying "The specified module could not be found", and Webfinna Coupons does nothing when trying to uninstall. Click, wait, nothing, click again and then I already supposedly have an uninstall going. The Webcore MediaBar uninstalled fine.
     
    robbyblade, Jun 1, 2013
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try using the below to remove them

    Revo Uninstaller 1.94

    If that does not help, then just continue on and we will remove them later manually.
     
    chaslang, Jun 1, 2013
    #5
  6. robbyblade

    robbyblade Private E-2

    I have been getting this on the page when clicking that link, tried a few times over the past few hours.

    The MySQL database of this Contentteller Content Management System installation has encountered the following problem:
    The MySQL database server has returned 1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') AND (filecat_website = '0' OR filecat_website = '1') ORDER BY filecat_name' at line 1 while executing SELECT filecat_id, filecat_name, filecat_seo, filecat_description, filecat_keywords FROM esselbach_ct_filescats WHERE filecat_id IN (,) AND (filecat_website = '0' OR filecat_website = '1') ORDER BY filecat_name

    Please try it in a few minutes again. We apologize for any inconvenience.
     
    robbyblade, Jun 1, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Jun 1, 2013
    #7
  8. robbyblade

    robbyblade Private E-2

    I don't have any log files in C:/_OTM, but here are the other two logs. I still can't remove VideoScavenger or Webfinna, having the same issues as before when trying to uninstall.
     

    Attached Files:

    robbyblade, Jun 3, 2013
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Based on your logs, you did not download and run it as requested. There is no OTM.EXE file on you Desktop and no _OTM folder in the C:\ root folder. Thus it was not run and thus no fix was performed.
     
    chaslang, Jun 3, 2013
    #9
  10. robbyblade

    robbyblade Private E-2

    Not sure why it didn't work right the first time, but I tried it again and this time I do have a log, which is attached below.
     
    robbyblade, Jun 3, 2013
    #10
  11. robbyblade

    robbyblade Private E-2

    Forgot to attach the log... Sorry.
     

    Attached Files:

    robbyblade, Jun 3, 2013
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so now you need to rerun C:\MGtools\GetLogs.bat and attach the new MGlogs.zip file. The last one was of no use to me since OTM had not been run.
     
    chaslang, Jun 3, 2013
    #12
  13. robbyblade

    robbyblade Private E-2

    Here ya go.
     

    Attached Files:

    robbyblade, Jun 3, 2013
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay let's remove the rest of VideoScavenger and WebfinnaCoupons Toolbar and some other junk

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Are you having anymore malware problems?
     
    chaslang, Jun 4, 2013
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds