Skip to main content

Comments

31 comments

  • Support

    Hi Bruce,

     

    Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

    Turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Log file button.
    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[R0].txt.

    0
  • Customer

    Wow! When I tried to reply and the mailer daemon said that the email address doesn't exist. I'm trying to post to this forum right now but the adware is blocking all attempts I make to stay on this website long enough to submit the file. This is ridiculous. I got this message through on another computer.

    0
  • Customer

    Also, on the computer that is infected, somehow it has blocked my ability to have permission to access the rest of my network so I cannot move the file over to this machine and send it to you. Any ideas on how to get you the requested information? The external drive I'm trying to write to is shared with all permissions granted to everyone. All other computers can write or read to or from the drive.

    0
  • Support

    Do you have a Flash Drive (thumb drive) or a rewriteable CD/DVD disc that you can move between the computers?

    Or can you paste the content of the files on http://pastebin.com/ or upload the files to a file sharing site (e.g. OneDrive) with one of your browsers?

     

    You can start with this fix that removes some pieces of the infection and see if you can do more afterwards:

    Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    (Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
    (Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
    () C:\Program Files (x86)\snipsmart\bin\snipsmart.expext.exe
    () C:\Program Files (x86)\snipsmart\bin\snipsmart.Plinx.exe
    (Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
    (Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
    ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
    FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-12]
    CHR Extension: (snipsmart) - C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\dolmieohajibablnfnfapnocdcdggijm [2016-04-02] [UpdateUrl: hxxp://wwwsnipsmartinfo-a.akamaihd.net/update/chrome] <==== ATTENTION
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
    R2 Update snipsmart; C:\Program Files (x86)\snipsmart\updatesnipsmart.exe [650952 2016-04-11] ()
    R2 Util snipsmart; C:\Program Files (x86)\snipsmart\bin\utilsnipsmart.exe [650952 2016-04-11] ()
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply, if possible.

     

    Try to use AdwCleaner.

    0
  • Customer

    Ok, using the thumbdrive worked. I'm not sure why I can't reply to admin@lavasoftsupport.com but even on this machine I can't. Not a valid email address. Please find attached the requested information file. I will begin as you suggested in the email / previous post. Thank you.

    AdwCleanerS1.txt

    0
  • Support

    You're supposed to reply here in the forum, not in a mail.

     

    If you haven't followed my previous post yet, you don't need to do that.

     

    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Scan button.
    Wait until the search has finished.

    Click on the Clean button.

    Click on OK.
    Click on OK on any message that pops up.
    The computer will be restarted.

    A report will be displayed, copy its content and paste into your reply.
    If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

     

    2. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
    To shorten the scanning time disable your antivirus program while scanning.

    Select Enable detection of potentially unwanted applications.
    Click Advanced Settings.

    Deselect Remove found threats (important due to false positives).

    Select:
    Scan Archives
    Scan for potentially unsafe applications
    Enable Anti-Stealth Technology

    Click Start.

    When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

     

     

    3. Start FRST.

    Select Addition.txt.

    Let the program scan and attach the two new log files.

    0
  • Customer

    I'm not sure what you mean by "Start FRST, please." Isn't that a text file?

    0
  • Support

    Please, start the FRST program that you used before starting this topic.

    0
  • Customer

    Hi Cecilia,

     

    Sorry for trying to reply to your email. When you said include the file in your reply, I thought that is what you meant.

     

    After performing step 1 of your reply, a logfile was created called AdwCleaner[C1].txt The one with [s0] was not created. There were however, two files with a S in the square brackets, namely 1 & 2. Since I have three files and not one of them is named what you requested, I will include all three.

     

    I will begin step 2 now.

    AdwCleanerC1.txt

    AdwCleanerS1.txt

    AdwCleanerS2.txt

    0
  • Customer

    Hi Cecilia,

     

    I cant't find addition.txt dated earlier than yesterday in any of the directories. If you need the info guide me. Here is the rest.

     

    Bruce

    FRST.txt

    Results of ESET scan as requested.txt

    0
  • Support

    Hi Bruce,

     

    No need to apologize, I know it isn't easy to know how this forum works

     

    Sorry, my mistake, I meant AdwCleanerC1.txt.

     

    Please, continue with step 2 and 3.

    0
  • Support

    Hi Bruce,

    1. Did you select Addition.txt after starting FRST program?
    Please, try again.


    2. From Eset's log file:
    C:\Users\Bruce\Downloads\Firefox.exe Win32/OutBrowse.BK potentially unwanted application

    Did you download Firefox from another website that the official one?


    3. The following script will delete everything in the recycle bins and folders for temporary files. Please, check that you don't have anything you want to keep in those locations.

    Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    GroupPolicy: Restriction - Chrome <======= ATTENTION
    CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
    ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
    RemoveProxy:
    FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-13]
    CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
    U2 TMAgent; no ImagePath
    2016-04-09 18:03 - 2016-04-09 18:03 - 00772016 _____ (Reimage®) C:\Users\Bruce\Downloads\ReimageRepair.exe
    CMD: ipconfig /flushdns
    CMD: netsh winsock reset catalog
    CMD: netsh int ip reset c:\resetlog.txt
    EmptyTemp:
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.


    4. Since there are pieces of Symantec/Norton in the logs, I suggest that you run "Norton Removal Tool" to remove the left-overs.


    0
  • Customer

    Hi Cecilia,

     

    1. I finally found the check box for Addition.txt in the FRST window. Please find it attached.

     

    2. I don't know where I got Firefox anymore. I do remember attempting to make sure it was genuine though. They are pretty crafty. Anyway it doesn't really matter because I have noticed that the only browser that runs well in W10 is their new e Browser. So no problem getting rid of the firefox browser.

     

    3. Starting on instructions from 3.

    Addition.txt

    0
  • Customer

    Also, I just noticed that I just responded with the infected computer so the measures must be working. Let's continue!

    0
  • Customer

    Hi Cecilia,

     

    Here is the file attached for item 3 above. Heading to the Norton website now.

    Fixlog.txt

    0
  • Customer

    Hi Cecilial,

     

    I have removed Norton and Firefox, per items 2 and 4 above.

    0
  • Customer

    I also noticed that the Firefox installation date was on like 4/9/2016. I didn't install it this month I guarantee that.

    0
  • Support

    1. Fixlog.txt looks good.

     

     

    2. The other browsers usually works well in Windows 10, too.

     

     

    3. Only a few items to remove that I found in Addition.txt.

     

    Please, start Notepad.
    Copy all text that is in the box:

    CreateRestorePoint:
    CloseProcesses:
    AlternateDataStreams: C:\Windows:CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211 [74]
    AlternateDataStreams: C:\Windows:CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937 [74]
    IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
    IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\localhost -> localhost
    IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com
    IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\webcompanion.com -> hxxp://webcompanion.com
    Reboot:
    and paste in Notepad. Check that no files have been split on two lines.
    Save the file as fixlist.txt on the desktop.

    Exit all programs.
    Start FRST, please.
    Click the Fix button.
    Wait until the tool has finished.

    It creates a log file, called Fixlog.txt, on the desktop.
    Please, paste the content of that file in your reply.

     

     

    4. Any signs of browsefox, other adware or malware now?

    If no, I'll give you the instruction for how to uninstall AdwCleaner and FRST.

    0
  • Customer

    All seems quiet with the adware.

    Fixlog.txt

    0
  • Customer

    OK, so surfing with Chrome, a few minutes ago, a new tab came up with an opportunity for W10 PC repair. They show logos from Microsoft, McAfee, and Norton. I'm pretty sure it's an invite into the Adware spider's lair. Any comments?

    0
  • Support

    If you mean that it was only a single web site that created the new tab with W10 PC repair, it maybe was an ad on that web site.

    You didn't attach FRST.txt but Fixlog.txt again.

    0
  • Customer

    One more scan on FRST.

    Addition.txt

    Fixlog.txt

    0
  • Support

    I see that you recently has installed a Chrome Extension called ShopAtHome.com and that extension is probably adware. Please, uninstall it: https://support.google.com/chrome_webstore/answer/2664769?hl=en

     

    Did that help?

     

     

    In Firefox, please check this Firefox configuration: https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox?redirectlocale=en-US&redirectslug=advanced-settings-browsing-network-updates-encryption#w_network-tab

    Options - Advanced - Network

    Settings for Connection

    There should only be one entry in the field No Proxy For and select either No proxy or Use system proxy settings.

    0
  • Customer

    FRST.txt

    FRST.txt

    0
  • Support

    OK, they were visible in the FRST.txt log file that you attached in post #24.

     

    I know many persons that are using Firefox or Chrome in Windows 10 without any problems, but it's your decision

     

     

    Time to uninstall AdwCleaner and FRST.

     

    1. Please, turn off all programs, including browsers.
    Double-click on AdwCleaner to start the program.

    Click on the Uninstall button.

    2. Download OTC http://oldtimer.geekstogo.com/OTC.exe
    Close all programs.
    Start OTC program.
    Click the CleanUp! button.
    Select Yes when asked "Begin cleanup process".
    If you are asked to reboot, select Yes.
    If any logs remain on the computer you can remove them.

    3. It is very important to keep Windows and all programs updated. An old version of, for example, Flash contains vulnerabilities that makes it easy to infect the computer from a web page. To help you with keeping everything updated you can use the program Secunia Personal Software Inspector (PSI). http://www.bleepingcomputer.com/tutorials/detect-vulnerable-programs-with-secunia-psi/ describes how to install and use the program.

    0
  • Customer

    I no longer have Chrome or Firefox on this machine. Again, I have never had a single successful browse with any other browser besides the e browser that comes with W10. I had it pointed out to me and I concur. No other browsers work well with W10. At least right now. I know you believe different.

    0
  • Customer

    If I put those browsers back, your saying they will act like W7? Because I have 2 W10 machines and nothing browses on either one except the e Browser from W10. Too much hassle. However I have had Internet Explorer get hosed before and I couldn't get it back right until I loaded the next edition a year and a half later. So, yeah, it's scary running with only one browser that can access the internet.

    0
  • Customer

    Hi Cecilia, I have done everything you suggested in post #27. I tested out Opera and I like it. I had a little trouble with the windows update. The instructions on the website say to go to the start button and the updates will be there but this is W10 and its not the same as how the website depicts it. Some places says its not installed. When I click install it, it refers me to the start button. The Windows update is not there. However, elsewhere I have clicked a check box that makes Windows updates automatic. So, I'm confused.

    0
  • Support

    Sorry, but I don't how how the browsers will act in your computers, I only know that many persons are using them in Windows 10 without any problems. If you want, you can try the Opera browser instead, since it's nice to have an alternative browser installed.

    0
  • Support

    Hi Bruce,

     

    I'm sorry, I don't have Windows 10 and I'm not sure exactly how it works. But in Windows 10 there should be an option to install updates when you turn off and/or restart the computer by using the button in the start menu (or maybe it's the menu displayed when you right-click the start button).

     

    Do you still have Windows Update in Control Panel or is it only available in the Settings app?

    Windows Update Troubleshooter

    0

Please sign in to leave a comment.