Solved TopDeal Malware Removal

[wasteland]

Done now. Restarted the PC and the router. No changes.

 

[TwinHeadedEagle]

Run FRST again, check addition.txt, press Scan and attach both report.

Gone to sleep now, will respond in 8-10 hours.

 

[wasteland]

There you go! Goodnight!

 

[TwinHeadedEagle]

Does this happen on all sites?

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.

Running it on another one may cause damage and render the system unstable.

​

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.

 

[wasteland]

Pretty much on all sites, yes. Sometime on a particular website the ads banner might not appear immediately, but they will further on as you navigate through the pages of the site.

No result with this fix, either.

 

[TwinHeadedEagle]

Are you sure you did restore your router to factory settings. I do not see signs of malware on your PC, and such problem if often caused by compromised router.

 

[wasteland]

No, I asked if there were other alternative ways, since resoring the router to factory settings would cause a lot of problems later on setting up again the home network. If there is no other option, though, I'll do it.

 

[TwinHeadedEagle]

I think you'll have to do it. PC seems clean, we cleaned cache, no fake DNS settings, no malicous lines. Everything looks clean. Or just try to see if router DNS is ok, maybe that could help without restoring.

 

[wasteland]

I am far from an expert in those matters, how do I check if the router DNS is ok?

 

[TwinHeadedEagle]

What is your router manufacturer and model?

 

[wasteland]

Netgear DG834G v5

 

[TwinHeadedEagle]

It seems your router doesn't have this option. I think you will have to reset it.

 

[wasteland]

I'm moving out of home for my studies in about a week to stay there for the next year. If I got the problem the malware effects should be gone from my laptop by the time I get there, right? So if it's indeed all in the router now, and simce none of the other PCs conmected to the wireless network has so far shown any symptoms, the issue should be resolved until I get back.

And if indeed this happens it would be enough proof that the issue is in the router to convince the rest of the network users to allow me the reset to factory settings.

Are there any flaws in this plan of actions?

 

[TwinHeadedEagle]

I didn't know that other network users are not having similar issues.

Then, let's make few more checks:



Download TDSSKiller and save it to your desktop

Execute TDSSKiller.exe by doubleclicking on it.
Confirm "End user Licence Agreement" and "KSN Statement" dialog box by clicking on Accept button.

• Press Start Scan
• If Suspicious object is detected, the default action will be Skip, click on Continue.
• If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[wasteland]

For some reason it didn't let me upload the TDSSK log, claiming the source file was empty (which it wasn't). So, here it is: http://1drv.ms/1lrHKxy

 

[TwinHeadedEagle]

Is this only happening in Chrome?

 

[wasteland]

On Firefox too, but I never use it anyway. Incredibly, it doesn't seem to be happening on IE, which I have just opened for the first time in years.

 

[TwinHeadedEagle]

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;
  autoclean;
  emptyalltemp;
  chrdefaults;
  ffdefaults;
  ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[wasteland]

Here's the zoek report. It would seem that the problem is solved, thankfully! I don't see any topdeal ads or banners or all the other annoying stuff. It seems gone from Firefox as well!

Spoiler: zoek

Zoek.exe v5.0.0.0 Updated 24-08-2014
Tool run by Marco on 25/08/2014 at 16:20:37,36.
Microsoft Windows 8.1 6.3.9600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Marco\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

25/08/2014 16:22:45 Zoek.exe System Restore Point Created Succesfully.

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

Deleted from C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\fjxaar60.default\prefs.js:

Added to C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\fjxaar60.default\prefs.js:
user_pref("browser.startup.homepage", "http://www.google.com");
user_pref("browser.search.defaulturl", "http://www.google.com/search?btnG=Google+Search&q=");
user_pref("browser.newtab.url", "http://www.google.com/");
user_pref("browser.search.defaultengine", "Google");
user_pref("browser.search.defaultenginename", "Google");
user_pref("browser.search.selectedEngine", "Google");
user_pref("browser.search.order.1", "Google");
user_pref("keyword.URL", "http://www.google.com/search?btnG=Google+Search&q=");
user_pref("browser.search.suggest.enabled", true);
user_pref("browser.search.useDBForOrder", true);

ProfilePath: C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\fjxaar60.default

user.js not found
---- Lines extensions.Yv9QfxABCe removed from prefs.js ----
user_pref("extensions.Yv9QfxABCe.epoch", "1409061741");
user_pref("extensions.Yv9QfxABCe.url", "http://webdriiver.in/sync2/?q=hfZ9o...MCMlNhd9Fqda5rTwFrTn4rTsMBzqUojw9rdYGqjw9rdw8
---- FireFox user.js and prefs.js backups ----

prefs_082014_1630_.backup

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\Users\Marco\AppData\Local\Packages\windows_ie_ac_001\AC\{A1A22A8D-201E-1E2B-F930-51282B318E49} deleted
C:\PROGRA~2\Wondershare deleted
C:\Users\Marco\AppData\Local\Wondershare deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wondershare deleted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk deleted
C:\Users\Marco\Downloads\iLividSetup-r1796-n-bc.exe deleted
C:\Users\Marco\AppData\Roaming\Mozilla\Firefox\Profiles\fjxaar60.default\extensions\xorzo@auaadthq.edu deleted
"C:\Windows\Installer\f0736.msi" deleted
"C:\PROGRA~3\boost_interprocess\Nobu64AgentService" deleted
"C:\PROGRA~3\boost_interprocess\Nobu64TrayIcon" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\CBSCreateVC.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\CBSProducstInfo.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\DAQExp.dll" deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact\WSHelper.exe" deleted
"C:\PROGRA~2\COMMON~1\Wondershare" not deleted
"C:\PROGRA~3\boost_interprocess" not deleted
"C:\PROGRA~2\COMMON~1\Wondershare\Wondershare Helper Compact" deleted

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{4ED1F68A-5463-4931-9384-8FFF5ED91D92}"="C:\Program Files (x86)\McAfee\SiteAdvisor" [12/08/2014 21:23]

==== Firefox Extensions ======================

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================


==== Chrome Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
fheoggkfdfchfphceeifdbepaooicaho - No path found[]

One Last Pass Password Manager - Marco\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnpobogcpnkgjpfjcmmgppgpmihanimo
SiteAdvisor - Marco\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho

==== Chromium Startpages ======================

C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Preferences
"homepage": "http://www.sweet-page.com/?type=hp&...HitachiXHTS545050A7E380_TEA55A3R1XT20J1XT20JX",


==== Chrome Fix ======================

C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.superfish.com_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_www.superfish.com_0.localstorage-journal deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_www.superfish.com_0.localstorage-journal deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_en.softonic.com_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_visualboyadvance.en.softonic.com_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_wondershare-video-editor-win.en.softonic.com_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Extensions\fheoggkfdfchfphceeifdbepaooicaho deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Extensions\cnpobogcpnkgjpfjcmmgppgpmihanimo deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cnpobogcpnkgjpfjcmmgppgpmihanimo_0.localstorage deleted successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_cnpobogcpnkgjpfjcmmgppgpmihanimo_0.localstorage-journal deleted successfully

==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE11SR"

==== Reset Google Chrome ======================

C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Preferences was reset successfully
C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Web Data was reset successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\203E62EEA6789D84098513925E9B9999 deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Google\Chrome\Extensions\fheoggkfdfchfphceeifdbepaooicaho deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{EE26E302-876A-48D9-9058-3129E5B99999} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\203E62EEA6789D84098513925E9B9999 deleted successfully

==== Empty IE Cache ======================

C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Marco\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\Users\Marco\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5 emptied successfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully
C:\WINDOWS\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

C:\Users\Marco\AppData\Local\Mozilla\Firefox\Profiles\fjxaar60.default\Cache emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Marco\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=946 folders=89 218751320 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\Marco\AppData\Local\Temp will be emptied at reboot
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\WINDOWS\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\WINDOWS\Temp successfully emptied
C:\Users\Marco\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\PROGRA~2\COMMON~1\Wondershare" not found
"C:\PROGRA~3\boost_interprocess" not deleted

==== EOF on 25/08/2014 at 16:35:38,34 ======================

So, is this finally over?

 

[TwinHeadedEagle]

I think it is



Below you will find my thoughts about securing your machine. Go ahead through it, you will benefit from some useful advice about safe computing.

Recommended reading:
​

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.
• Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:
​

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.​

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:
​

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

CryptoPrevent - to secure yourself from very severe CryptoLocker infection.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

FiheHippo.com Update Checker - to keep your programs up-to-date.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:​

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle