BROWSEFOX
-
Hi Bruce,
Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/
Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.
Click on the Scan button.
Wait until the search has finished.
Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[R0].txt.0 -
Wow! When I tried to reply and the mailer daemon said that the email address doesn't exist. I'm trying to post to this forum right now but the adware is blocking all attempts I make to stay on this website long enough to submit the file. This is ridiculous. I got this message through on another computer.
0 -
Also, on the computer that is infected, somehow it has blocked my ability to have permission to access the rest of my network so I cannot move the file over to this machine and send it to you. Any ideas on how to get you the requested information? The external drive I'm trying to write to is shared with all permissions granted to everyone. All other computers can write or read to or from the drive.
0 -
Do you have a Flash Drive (thumb drive) or a rewriteable CD/DVD disc that you can move between the computers?
Or can you paste the content of the files on http://pastebin.com/ or upload the files to a file sharing site (e.g. OneDrive) with one of your browsers?
You can start with this fix that removes some pieces of the infection and see if you can do more afterwards:
Please, start Notepad.
Copy all text that is in the box:CreateRestorePoint:
and paste in Notepad. Check that no files have been split on two lines.
CloseProcesses:
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
() C:\Program Files (x86)\snipsmart\bin\snipsmart.expext.exe
() C:\Program Files (x86)\snipsmart\bin\snipsmart.Plinx.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-12]
CHR Extension: (snipsmart) - C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\dolmieohajibablnfnfapnocdcdggijm [2016-04-02] [UpdateUrl: hxxp://wwwsnipsmartinfo-a.akamaihd.net/update/chrome] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
R2 Update snipsmart; C:\Program Files (x86)\snipsmart\updatesnipsmart.exe [650952 2016-04-11] ()
R2 Util snipsmart; C:\Program Files (x86)\snipsmart\bin\utilsnipsmart.exe [650952 2016-04-11] ()
Save the file as fixlist.txt on the desktop.
Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.
It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply, if possible.Try to use AdwCleaner.
0 -
Ok, using the thumbdrive worked. I'm not sure why I can't reply to admin@lavasoftsupport.com but even on this machine I can't. Not a valid email address. Please find attached the requested information file. I will begin as you suggested in the email / previous post. Thank you.
0 -
You're supposed to reply here in the forum, not in a mail.
If you haven't followed my previous post yet, you don't need to do that.
1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.
Click on the Scan button.
Wait until the search has finished.
Click on the Clean button.
Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt2. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.
Select Enable detection of potentially unwanted applications.
Click Advanced Settings.
Deselect Remove found threats (important due to false positives).
Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology
Click Start.
When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.3. Start FRST.
Select Addition.txt.
Let the program scan and attach the two new log files.
0 -
I'm not sure what you mean by "Start FRST, please." Isn't that a text file?
0 -
Please, start the FRST program that you used before starting this topic.
0 -
Hi Cecilia,
Sorry for trying to reply to your email. When you said include the file in your reply, I thought that is what you meant.
After performing step 1 of your reply, a logfile was created called AdwCleaner[C1].txt The one with [s0] was not created. There were however, two files with a S in the square brackets, namely 1 & 2. Since I have three files and not one of them is named what you requested, I will include all three.
I will begin step 2 now.
0 -
Hi Cecilia,
I cant't find addition.txt dated earlier than yesterday in any of the directories. If you need the info guide me. Here is the rest.
Bruce
0 -
Hi Bruce,
No need to apologize, I know it isn't easy to know how this forum works
Sorry, my mistake, I meant AdwCleanerC1.txt.
Please, continue with step 2 and 3.
0 -
Hi Bruce,
1. Did you select Addition.txt after starting FRST program?
Please, try again.
2. From Eset's log file:
C:\Users\Bruce\Downloads\Firefox.exe Win32/OutBrowse.BK potentially unwanted application
Did you download Firefox from another website that the official one?
3. The following script will delete everything in the recycle bins and folders for temporary files. Please, check that you don't have anything you want to keep in those locations.
Please, start Notepad.
Copy all text that is in the box:CreateRestorePoint:
and paste in Notepad. Check that no files have been split on two lines.
CloseProcesses:
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
RemoveProxy:
FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-13]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
U2 TMAgent; no ImagePath
2016-04-09 18:03 - 2016-04-09 18:03 - 00772016 _____ (Reimage®) C:\Users\Bruce\Downloads\ReimageRepair.exe
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
EmptyTemp:
Save the file as fixlist.txt on the desktop.
Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.
It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.
4. Since there are pieces of Symantec/Norton in the logs, I suggest that you run "Norton Removal Tool" to remove the left-overs.
0 -
Hi Cecilia,
1. I finally found the check box for Addition.txt in the FRST window. Please find it attached.
2. I don't know where I got Firefox anymore. I do remember attempting to make sure it was genuine though. They are pretty crafty. Anyway it doesn't really matter because I have noticed that the only browser that runs well in W10 is their new e Browser. So no problem getting rid of the firefox browser.
3. Starting on instructions from 3.
0 -
Also, I just noticed that I just responded with the infected computer so the measures must be working. Let's continue!
0 -
Hi Cecilia,
Here is the file attached for item 3 above. Heading to the Norton website now.
0 -
Hi Cecilial,
I have removed Norton and Firefox, per items 2 and 4 above.
0 -
I also noticed that the Firefox installation date was on like 4/9/2016. I didn't install it this month I guarantee that.
0 -
1. Fixlog.txt looks good.
2. The other browsers usually works well in Windows 10, too.
3. Only a few items to remove that I found in Addition.txt.
Please, start Notepad.
Copy all text that is in the box:CreateRestorePoint:
and paste in Notepad. Check that no files have been split on two lines.
CloseProcesses:
AlternateDataStreams: C:\Windows:CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211 [74]
AlternateDataStreams: C:\Windows:CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937 [74]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\webcompanion.com -> hxxp://webcompanion.com
Reboot:
Save the file as fixlist.txt on the desktop.
Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.
It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.4. Any signs of browsefox, other adware or malware now?
If no, I'll give you the instruction for how to uninstall AdwCleaner and FRST.
0 -
All seems quiet with the adware.
0 -
OK, so surfing with Chrome, a few minutes ago, a new tab came up with an opportunity for W10 PC repair. They show logos from Microsoft, McAfee, and Norton. I'm pretty sure it's an invite into the Adware spider's lair. Any comments?
0 -
If you mean that it was only a single web site that created the new tab with W10 PC repair, it maybe was an ad on that web site.
You didn't attach FRST.txt but Fixlog.txt again.
0 -
One more scan on FRST.
0 -
I see that you recently has installed a Chrome Extension called ShopAtHome.com and that extension is probably adware. Please, uninstall it: https://support.google.com/chrome_webstore/answer/2664769?hl=en
Did that help?
In Firefox, please check this Firefox configuration: https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox?redirectlocale=en-US&redirectslug=advanced-settings-browsing-network-updates-encryption#w_network-tab
Options - Advanced - Network
Settings for Connection
There should only be one entry in the field No Proxy For and select either No proxy or Use system proxy settings.
0 -
FRST.txt
0 -
OK, they were visible in the FRST.txt log file that you attached in post #24.
I know many persons that are using Firefox or Chrome in Windows 10 without any problems, but it's your decision
Time to uninstall AdwCleaner and FRST.
1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.
Click on the Uninstall button.
2. Download OTC http://oldtimer.geekstogo.com/OTC.exe
Close all programs.
Start OTC program.
Click the CleanUp! button.
Select Yes when asked "Begin cleanup process".
If you are asked to reboot, select Yes.
If any logs remain on the computer you can remove them.
3. It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.0 -
I no longer have Chrome or Firefox on this machine. Again, I have never had a single successful browse with any other browser besides the e browser that comes with W10. I had it pointed out to me and I concur. No other browsers work well with W10. At least right now. I know you believe different.
0 -
If I put those browsers back, your saying they will act like W7? Because I have 2 W10 machines and nothing browses on either one except the e Browser from W10. Too much hassle. However I have had Internet Explorer get hosed before and I couldn't get it back right until I loaded the next edition a year and a half later. So, yeah, it's scary running with only one browser that can access the internet.
0 -
Hi Cecilia, I have done everything you suggested in post #27. I tested out Opera and I like it. I had a little trouble with the windows update. The instructions on the website say to go to the start button and the updates will be there but this is W10 and its not the same as how the website depicts it. Some places says its not installed. When I click install it, it refers me to the start button. The Windows update is not there. However, elsewhere I have clicked a check box that makes Windows updates automatic. So, I'm confused.
0 -
Sorry, but I don't how how the browsers will act in your computers, I only know that many persons are using them in Windows 10 without any problems. If you want, you can try the Opera browser instead, since it's nice to have an alternative browser installed.
0 -
Hi Bruce,
I'm sorry, I don't have Windows 10 and I'm not sure exactly how it works. But in Windows 10 there should be an option to install updates when you turn off and/or restart the computer by using the button in the start menu (or maybe it's the menu displayed when you right-click the start button).
Do you still have Windows Update in Control Panel or is it only available in the Settings app?
0
Please sign in to leave a comment.
Comments
31 comments