Skip to main content

Comments

26 comments

  • Support

    Hi Funny Girl,

     

    Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

    Turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Log file button.
    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[R0].txt.

    0
  • Support

    You're welcome

     

    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Clean button.

    Click on OK.
    Click on OK on any message that pops up.
    The computer will be restarted.

    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

     

    2. Start FRST.

    Select Addition.txt.

    Scan with FRST and attach the two new log files.

     

     

    3. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
    To shorten the scanning time disable your antivirus program while scanning.

    Select Enable detection of potentially unwanted applications.
    Click Advanced Settings.

    Deselect Remove found threats.

    Select:
    Scan Archives
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

    Click Start.

    When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

    0
  • Customer

    I've attached the file as you requested. Thank you for helping me. I should mention that this started happening when I added myearthlink.net to Web Companion as my browser page.

    AdwCleanerS1.txt

    0
  • Support

    Did you select that AdwCleaner shouldn't delete some folders or did AdwCleaner fail when it tried to delete them?

    E.g.

    [!] Key Not Deleted : HKU\S-1-5-21-1209626233-1858311023-2878856544-1000\Software\AppDataLow\Software\PriceGong
    [!] Key Not Deleted : HKU\S-1-5-21-1209626233-1858311023-2878856544-1000\Software\AppDataLow\Software\Savings Bull

     

    If AdwCleaner failed, please try again and start AdwCleaner by right-clicking it and selecting Run as Administrator.

    If AdwCleaner deletes more, I need to see new logs from FRST.

    0
  • Customer

    I've tried numerous times to run eset.com/onlinescan/ - I do everything they say then after the last pop-up box regarding security warning - I click install then the next message is "an add-on for this website failed to run". I tried to get online help but there's no live person to assist so it wouldn't run. I have attached the other files you requested. What's next?

     

     

    AdwCleanerC1.txt

    Addition_06-09-2015_07-56-00.txt

    FRST_06-09-2015_07-56-00.txt

    0
  • Customer

    When I ran AdwCleaner yesterday and sent you the files. I followed your instructions and the only issues that were displayed were CouponPrinterService, netfilter, ReimageRealTimeProtection and YahooAUService. I clicked to clean and there may of been a pop-up saying some files would be deleted so i hit ok. I ran the program again as "Administrator" and nothing showed up so I didn't have to hit clean and therefore nothing is attached. I'm still getting myhomelinkonline just as before.

    0
  • Support

    The URL myearthlink.net redirects to myhomelinkonline.com. Maybe you want your home page to be my.earthlink.net (note the dot after "my") since that's a normal portal page.

    But since there are some adware in the computer, please start Notepad.
    Copy all text that is in the box:


    CreateRestorePoint:
    CloseProcesses:
    HKLM\...\Run: [] => [X]
    URLSearchHook: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 -> Default = {CFBFAE00-17A6-11D0-99CB-00C04FD64497}
    URLSearchHook: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 - (No Name) - {3bbd3c14-4c16-4989-8366-95bc9179779d} - No File
    URLSearchHook: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 - (No Name) - {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No File
    SearchScopes: HKLM -> DefaultScope {94216338-6E2C-41E9-B6F9-7850C466C5B8} URL =
    BHO: GamesBarBHO Class -> {CB0D163C-E9F4-4236-9496-0597E24B23A5} -> C:\Program Files\GamesBar\2.0.1.53\oberontb.dll No File
    Toolbar: HKLM - No Name - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - No File
    Toolbar: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 -> No Name - {3BBD3C14-4C16-4989-8366-95BC9179779D} - No File
    Toolbar: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 -> No Name - {C66A678D-5E6C-4AF9-8F57-C6192F42CF74} - No File
    Toolbar: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 -> No Name - {D341D509-49FB-4FF2-9A1B-134056747A7D} - No File
    Toolbar: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000 -> No Name - {9DA1018D-8E68-401A-A32B-694354D68276} - No File
    DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455}
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - No File
    CHR Extension: (BeFrugal.com Add-On) - C:\Users\Michael Andersen\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdcneeneoifbeenbbnjodcflhdbaggp [2015-08-11]
    CHR HKLM\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\MICHAE~1\AppData\Local\funmoods.crx <not found>
    CHR HKU\S-1-5-21-1209626233-1858311023-2878856544-1000\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [bbjciahceamgodcoidkjpchnokgfpphh] - C:\Users\MICHAE~1\AppData\Local\funmoods.crx <not found>
    S3 cpuz134; no ImagePath
    S1 UsbFltr; no ImagePath
    S2 X6XSEx; no ImagePath
    CustomCLSID: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000_Classes\CLSID\{15ea6566-467f-42ae-85d7-0ef80306cbdc}\localserver32 -> C:\Users\MICHAE~1\AppData\Local\Temp\{8b1670c8-dc4a-4ed4-974b-81737a23826b}\IDriver.NonElevated.exe (the data entry has 7 more characters).
    AlternateDataStreams: C:\ProgramData\Temp:0B4227B4
    AlternateDataStreams: C:\ProgramData\Temp:0CE0AE44
    AlternateDataStreams: C:\ProgramData\Temp:15734396
    AlternateDataStreams: C:\ProgramData\Temp:1DA424AA
    AlternateDataStreams: C:\ProgramData\Temp:258F3E77
    AlternateDataStreams: C:\ProgramData\Temp:260575F1
    AlternateDataStreams: C:\ProgramData\Temp:2AD33723
    AlternateDataStreams: C:\ProgramData\Temp:2CB9631F
    AlternateDataStreams: C:\ProgramData\Temp:337FC984
    AlternateDataStreams: C:\ProgramData\Temp:33F9314E
    AlternateDataStreams: C:\ProgramData\Temp:373E1720
    AlternateDataStreams: C:\ProgramData\Temp:3C3DE159
    AlternateDataStreams: C:\ProgramData\Temp:4673E9EA
    AlternateDataStreams: C:\ProgramData\Temp:4F8BECB9
    AlternateDataStreams: C:\ProgramData\Temp:56EE2CAF
    AlternateDataStreams: C:\ProgramData\Temp:59320096
    AlternateDataStreams: C:\ProgramData\Temp:6355626F
    AlternateDataStreams: C:\ProgramData\Temp:A7BCEE7D
    AlternateDataStreams: C:\ProgramData\Temp:A98B0BB8
    AlternateDataStreams: C:\ProgramData\Temp:ABFCD3CD
    AlternateDataStreams: C:\ProgramData\Temp:D3953905
    AlternateDataStreams: C:\ProgramData\Temp:E6C6EB3B
    AlternateDataStreams: C:\ProgramData\Temp:F1094E55
    AlternateDataStreams: C:\ProgramData\Temp:F2B81C2E
    AlternateDataStreams: C:\ProgramData\Temp:F49E02D5
    AlternateDataStreams: C:\ProgramData\Temp:FC70A22A
    AlternateDataStreams: C:\Users\Michael Andersen\Downloads\adwcleaner_5.005 (1).exe:BDU
    AlternateDataStreams: C:\Users\Michael Andersen\Downloads\adwcleaner_5.005 (2).exe:BDU
    AlternateDataStreams: C:\Users\Michael Andersen\Downloads\adwcleaner_5.005.exe:BDU
    AlternateDataStreams: C:\Users\Michael Andersen\Downloads\FRST.exe:BDU
    AlternateDataStreams: C:\Users\Michael Andersen\Downloads\FRST64.exe:BDU
    IE trusted site: HKU\S-1-5-21-1209626233-1858311023-2878856544-1000\...\webcompanion.com -> hxxp://webcompanion.com
    C:\Program Files\Coupons
    C:\Program Files\CouponXplorer_5zEI
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
    C:\Users\Michael Andersen\AppData\LocalLow\CouponXplorer_5zEI
    C:\Users\Michael Andersen\Favorites\Coupons
    C:\Users\Michael Andersen\Favorites\PC Cleaner
    C:\Users\Michael Andersen\Favorites\Coupons
    C:\Users\Michael Andersen\Favorites\Coupons
    Reboot:

    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.

    0
  • Support

    Please, move FRST program from the Downloads folder, C:\Users\Michael Andersen\Downloads, to the desktop and then run FRST program and click on FIX.

    0
  • Customer

    I pasted the file as fixlist.txt on the desktop. When I click fix it says the fixlist.txt has to be in the same folder/directory as the tool and I don't know how to get it there. I typed it in and got the same response. I scanned again and have a new file that was produced. Do you want me to send it? With the myearthlink. I've had this as my home page for over 20 years and never had to put a . after my. I tried it several times and it worked. Thank you so much. Do I still have issues with my files?

    0
  • Support

    Do you see both FRST program and fixlist on the desktop?

     

    Do you see the file extension ".exe" on the FRST program?

    Do you see the file extension ".txt" on the fixlist file?

    0
  • Customer

    When I move FRST I right click and send to desktop. I don't know how else to do it. I ran FRST and nothing then I clicked the box shortcut.txt and additional.txt and files were produced but when I clicked fix it said the file needed to be in the same folder/directory. What am I doing wrong?

    0
  • Support

    And you start FRST by double-clicking it?

     

    Do you see the file extension ".exe" on the FRST program?

    Do you see the file extension ".txt" on the fixlist file?

    I'm asking to be sure that fixlist doesn't have the name fixlist.txt.txt when file extensions are visible.

    0
  • Customer

    Yes, they are on the desktop but when I run the program it says the file isn't in the same folder/directory.

    0
  • Support

    Strange, but we can try with another program.

     

    Save OTL on the Desktop. http://oldtimer.geekstogo.com/OTL.exe
    Close all programs.
    Double-click OTL to run it.

    Click on Quick Scan and do not use the computer while the program runs.

    When the program finishes two log files are created on the Desktop, OTL.txt och Extras.txt. Please, attach the two logs.

    0
  • Customer

    Here are the two logs created.

    Extras.Txt

    OTL.Txt

    0
  • Customer

    Yes, I double click it to start it. FRST has .exe extension and fixlist has .txt not .txt.txt.

    0
  • Support

    Please, close all programs including antivirus programs and other similar programs. Otherwise they might stop OTL.

    Start the program OTL, please.
    Copy all the lines in the box:


    :OTL
    IE - HKLM\..\SearchScopes,DefaultScope = {94216338-6E2C-41E9-B6F9-7850C466C5B8}
    IE - HKLM\..\SearchScopes\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}: "URL" = http://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg-chrome&type=yahoo_avg_hs2-tb-web_chrome_us&p={searchTerms}
    IE - HKCU\..\URLSearchHook: - No CLSID value found
    IE - HKCU\..\URLSearchHook: {3bbd3c14-4c16-4989-8366-95bc9179779d} - No CLSID value found
    IE - HKCU\..\URLSearchHook: {4c60e5ab-5c68-4c59-abaa-885010b24b32} - No CLSID value found
    IE - HKCU\..\SearchScopes,DefaultScope = {BFCF63D2-AD53-4777-949D-1845597F0C5D}
    CHR - Extension: No name found = C:\Users\Michael Andersen\AppData\Local\Google\Chrome\User Data\Default\Extensions\kcdcneeneoifbeenbbnjodcflhdbaggp\2013.3.16.15_0\
    O2 - BHO: (IEHlprObj Class) - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\Program Files\iWin Games\iWinGamesHookIE.dll File not found
    O2 - BHO: (GamesBarBHO Class) - {CB0D163C-E9F4-4236-9496-0597E24B23A5} - C:\Program Files\GamesBar\2.0.1.53\oberontb.dll File not found
    O3 - HKLM\..\Toolbar: (no name) - {c66a678d-5e6c-4af9-8f57-c6192f42cf74} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {3BBD3C14-4C16-4989-8366-95BC9179779D} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {9DA1018D-8E68-401A-A32B-694354D68276} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {C66A678D-5E6C-4AF9-8F57-C6192F42CF74} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D341D509-49FB-4FF2-9A1B-134056747A7D} - No CLSID value found.
    O4 - HKLM..\Run: [] File not found
    O15 - HKCU\..Trusted Domains: webcompanion.com ([]http in Trusted sites)
    O18 - Protocol\Handler\linkscanner - No CLSID value found
    @Alternate Data Stream - 97 bytes -> C:\ProgramData\Temp:D3953905
    @Alternate Data Stream - 95 bytes -> C:\ProgramData\Temp:59320096
    @Alternate Data Stream - 190 bytes -> C:\ProgramData\Temp:15734396
    @Alternate Data Stream - 184 bytes -> C:\ProgramData\Temp:FC70A22A
    @Alternate Data Stream - 176 bytes -> C:\ProgramData\Temp:F2B81C2E
    @Alternate Data Stream - 162 bytes -> C:\ProgramData\Temp:2AD33723
    @Alternate Data Stream - 146 bytes -> C:\ProgramData\Temp:260575F1
    @Alternate Data Stream - 144 bytes -> C:\ProgramData\Temp:F49E02D5
    @Alternate Data Stream - 143 bytes -> C:\ProgramData\Temp:1DA424AA
    @Alternate Data Stream - 141 bytes -> C:\ProgramData\Temp:56EE2CAF
    @Alternate Data Stream - 140 bytes -> C:\ProgramData\Temp:4F8BECB9
    @Alternate Data Stream - 134 bytes -> C:\ProgramData\Temp:2CB9631F
    @Alternate Data Stream - 133 bytes -> C:\ProgramData\Temp:0B4227B4
    @Alternate Data Stream - 130 bytes -> C:\ProgramData\Temp:E6C6EB3B
    @Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:A98B0BB8
    @Alternate Data Stream - 125 bytes -> C:\ProgramData\Temp:337FC984
    @Alternate Data Stream - 123 bytes -> C:\ProgramData\Temp:258F3E77
    @Alternate Data Stream - 119 bytes -> C:\ProgramData\Temp:ABFCD3CD
    @Alternate Data Stream - 118 bytes -> C:\ProgramData\Temp:373E1720
    @Alternate Data Stream - 115 bytes -> C:\ProgramData\Temp:3C3DE159
    @Alternate Data Stream - 113 bytes -> C:\ProgramData\Temp:A7BCEE7D
    @Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:6355626F
    @Alternate Data Stream - 111 bytes -> C:\ProgramData\Temp:0CE0AE44
    @Alternate Data Stream - 110 bytes -> C:\ProgramData\Temp:4673E9EA
    @Alternate Data Stream - 104 bytes -> C:\ProgramData\Temp:33F9314E
    @Alternate Data Stream - 102 bytes -> C:\ProgramData\Temp:F1094E55
    :Files
    C:\Program Files\Coupons
    C:\Program Files\CouponXplorer_5zEI
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
    C:\Users\Michael Andersen\AppData\LocalLow\CouponXplorer_5zEI
    C:\Users\Michael Andersen\Favorites\Coupons
    C:\Users\Michael Andersen\Favorites\PC Cleaner
    C:\Users\Michael Andersen\Favorites\Coupons
    C:\Users\Michael Andersen\Favorites\Coupons
    :Commands
    [CREATERESTOREPOINT]
    [REBOOT]

    Please, paste them into the field Custom Scans/Fixes.
    Click on Run Fix.

    If you are asked to restart the computer do that.

    Notepad will pop-up with a log. Copy it and paste it into your answer.
    If it isn't pop-upped, you can find it in the folder c:\_OTL\Moved Files and its name contains the date and time for when OTL was run.

    Be sure that antivirus programs etc. are active before connecting to internet.

    0
  • Customer

    These are the two files it created.

     


    [.ShellClassInfo]

    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21769

    IconResource=%SystemRoot%\system32\imageres.dll,-183

    [LocalizedFileNames]

    Spider Solitaire.lnk=@%SystemRoot%\system32\gameux.dll,-10061




    [.ShellClassInfo]

    LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

    [LocalizedFileNames]

    Norton Internet Security.lnk=@C:\PROGRA~1\NORTON~2\Branding\muis.dll,-102

    HP Help and Support.lnk=@C:\Windows\Help\OEM\scripts\HELPDT~1.DLL,-101

    WildTangent Games App - hp.lnk=@C:\PROGRA~1\WILDTA~1\TOUCHP~1\hp\MUILink.exe,-105



     

    0
  • Support

    Sorry, that isn't the right files. Please, see what you kind find in c:\_OTL\Moved Files.

    0
  • Support

    Please, scan with OTL and attach the new OTL.txt, and I go through it to find out if OTL removed what it should have removed.

    0
  • Customer

    There isn't a file by that name. I even did a search on my computer.

    0
  • Support

    OTL did its job last time and now there are only a few minor left-overs to remove.

    Close all programs including antivirus programs and other similar programs. Otherwise they might stop OTL.

     

    Start the program OTL by right-clicking it and select Run as Administrator.

    Copy all the lines in the box:


    :OTL
    SRV - File not found [Auto | Stopped] -- C:\Program Files\iWin Games\iWinTrusted.exe -- (iWinTrusted)
    DRV - File not found [Kernel | On_Demand | Stopped] -- -- (cpuz134)
    FF - user.js - File not found
    O15 - HKCU\..Trusted Domains: localhost ([]* in Trusted sites)
    O15 - HKCU\..Trusted Domains: webcompanion.com ([]http in Trusted sites)
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
    :Commands
    [CREATERESTOREPOINT]
    [REBOOT]
    Paste them into the field Custom Scans/Fixes.

    Click on Run Fix.

     

    If you are asked to restart the computer do that.

     

    Notepad will pop-up with a log. Copy it and paste it into your reply.

    If it is not pop-upped, you can find it in the folder c:\_OTL\Moved Files and its name contains the date and time for when OTL was run.

    If you don't find it, just skip it.

     

    Be sure that antivirus programs etc. are active before connecting to internet.

     

    Is the computer behaving as it should now?

    If yes, I'll post the instruction for how to remove the special cleaning programs you've been using.

    0
  • Customer

    Here it is.

    OTL.Txt

    0
  • Customer

    Again, there is nothing to paste. Thank you so much for all your help and patience. My computer is now running much faster and smoother than before.

    0
  • Support

    Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.


    If you're the topic starter, and need this topic reopened, please contact the staff member who was helping you with your issue.


    Everyone else please begin a New Topic.


    Thank you !

    0
  • Support

    You're welcome

    Very good that your computer is faster!


    1. Removal of tools

    Please, exit all programs, including browsers.

    Double-click on AdwCleaner to start the program.
    Click on the Uninstall button.

    Start OTL program.
    Click the CleanUp! button.
    Select Yes when asked "Begin cleanup process".
    If you are asked to reboot, select Yes.
    If any logs remain on the computer you can remove them.

    2. Improve the security in the computer
    It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/describes how to install and use the program.

    0

Please sign in to leave a comment.