Mini Spy

Loading...

Latest Threads

Loading...
 
  1. Before you start!
    All given instructions in this forum are customized for each help request, the tools used may cause damage if used on a computer with different infections. If you think you have similar issues, please post the appropriate logs in our Malware Removal Assistance forum and wait for help.

    Please be aware that removing Malware is a potentially hazardous undertaking. We will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for us to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and we cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
    We strongly advise you to backup any personal files and folders before you start.

Surf and Keep/AllCheapPrice/Tuvaro/WatchitNoAds

Discussion in 'Malware Removal Assistance' started by Polyphase Avatron, Feb 1, 2014.

  1. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Operating System:
    Windows Vista
    Are you using a 32-bit or 64-bit operating system?:
    32-bit (x86)
    Infection date and initial symptoms:
    Several months ago, lots of ads and unwanted extensions, browser search redirect
    Current issues and symptoms:
    "WatcheItNoeAds 2.7" Chrome browser extension undeletable due to being "installed by enterprise policy", creates random links in website text. Browser search redirects to Tuvaro search when I open a new tab and type something (previously it would go to google search)
    Steps taken in order to remove the infection:
    Uninstalled and deleted many files, tried programs adwcleaner, JRT Junkware remove, Malwarebytes Anti-Malware (both quick and full scan), Malwarebytes Anti-Rootkit BETA, Hitman Pro 3.7, Cloud System Booster, Farber Recovery Scan Tool, aswMBR, problem persists.
    What scan logs have you uploaded to this post?:
    • FRST scan log
    • aswMBR scan log
    I have had serious problems since a few months ago when I downloaded a file, it installed the "Surf and Keep" adware, which I sort of got rid off, but this browser extension "aalchheapprice" or something kept popping up, then after a while another one called "WatcheItNoeAds2.7" appeared. I could remove the first one every time I booted Chrome but it kept coming back, the second one, however, is "installed by enterprise policy" and undeleteable, I eventually got rid of the first one by deleting something in program data and it hasn't yet reappeared, but I can't get rid of the second one. In addition, ever since the problem started, any random search (i.e. opening a new tab and typing something) will take me to the Tuvaro search instead of Google search. The "WatcheItNoeAds2.7" seems to create random links in website text.
     

    Attached Files:

  2. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Hi,


    Uninstall following from Control Panel:
    - GS.Supporter 1.80
    - GS-Enabler
    - GS-Supporter 1.80
    - Speed Streamer
    - YoutubeAdblocker


    Restart your PC.



    Then:



    Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)

    Open FRST, and click Fix. Attach me that report after it is finished.
     

    Attached Files:

  3. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    GS-Enabler and YoutubeAdBlocker aren't appearing on the control panel programs list, also when I try to uninstall the others I get an error, saying it can't find a dll or ena file and "the specified module could not be found".
     
  4. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Then skip it and jump to the other step.



    Then...



    Please download zoek.zip or zoek.rar by smeenk ([​IMG]) from here or here and save it to your Desktop.
    Unpack the archive...
    • Close any open browsers
    • Temporarily disable your AntiVirus program. (If necessary)
      If you are unsure how to do this please read this or this Instruction.
    • Double click on zoek.exe to run the tool .
      Please wait while the tool does not start...
    • Copy the text present inside the code box below and paste it into the large window in the zoek tool:

      Code:
      createsrpoint; 
      StandardSearch; 
      emptyfolderscheck; 
      installer-list; 
      installedprogs; 
      uninstall-list;
    • Click on [​IMG] button.
      Please wait until a logreport will open (this can be after reboot)
    • Save notepad to your Desktop and attach here zoek-results.log
      Note: It will also create a log in the C:\ directory named "zoek-results.log"
     
  5. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    I try to upload it but it says it has an invalid file extension (.log)
     
  6. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Okay I changed the extensinon
     

    Attached Files:

  7. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Run Zoek again, but now with this script

    Code:
    emptyclsid;
    emptyfolderscheck;delete
    shortcutfix;
    resetIEproxy;
    netsh int ip reset >> %temp%\log.txt;b
    ipconfig /flushdns >> %temp%\log.txt;b
    resethosts;
    emptyalltemp;
    autoclean;
     
    Last edited: Feb 1, 2014
  8. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    That didn't solve the problem, WatcheItNoeAds2.7 is still there, as well as the Tuvaro redirect. Should I delete the files/folders in the zoek log that show where those extensions are? (Comodo and whatnot)?

    EDIT: Speed Streamer also still appears in the control panel list of installed programs.
     
  9. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Follow my last instruction and attach requested report...
     
  10. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Here's the log produced by running the zoek program with your latest instruction.

    I'm unclear as to what you want me to do next.
     

    Attached Files:

    Last edited: Feb 1, 2014
  11. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Run Zoek again with this script

    Code:
    QuickScan;
     
  12. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Okay, I did, here is the result.
     

    Attached Files:

  13. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Re-run Zoek with this script

    Code:
    ffmenu@savevid.com;ff
    surfu anD keepp;chr
    surf and keep;chr
    Closed tabs;chr
    grEAtseavieRR;chr
    YTBiookMark;chr
    SNT;chr
    suRF and keep;chr
    YoutubeAdblocker;chr
    suurf and kueepp;chr
    autoclean;
    emptyclsid;
    emptyalltemp;
     
  14. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Okay, I ran it, but WatchItNoAds and the Tuvaro redirect are still there after I rebooted and started Chrome again. Here's the newest log.
     

    Attached Files:

  15. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    Run zoek again with this script

    Code:
    Quickscan;
     
  16. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Ok, here is the result.

    What next?
     

    Attached Files:

    Last edited: Feb 2, 2014
  17. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    We need to investigate further.


    Download TDSSKiller and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.
    Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.
    • Press Start Scan
    • If Suspicious object is detected, the default action will be Skip, click on Continue.
    • If Malicious objects are found, select Cure.

    Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


    Please post the contents of that log in your next reply.



    Then re-run FRST and attach both reports...
     
  18. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    Here it is. It says it didn't find anything.

    Now what?
     

    Attached Files:

  19. TwinHeadedEagle

    TwinHeadedEagle Malware Removal Expert MalwareTips Staff

    Reputation:
    1,000
    Joined:
    Mar 8, 2013
    Messages:
    9,722
    Likes Received:
    683
    You're missing FRST reports...
     
  20. Polyphase Avatron

    Polyphase Avatron New Member

    Reputation:
    0
    Joined:
    Feb 1, 2014
    Messages:
    25
    Likes Received:
    0
    I'm confused, it only created one report.

    Is there anything else I need to do?
     

    Attached Files:

    Last edited: Feb 3, 2014

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Loading...
MalwareTips.com is an independent website.All trademarks mentioned on this page are the property of their respective owners.