Adware in Firefox/Chrome, think there's also a rootkit.

Z

zach

New Member
Thread author
Feb 14, 2014
5
Not really sure how to deal with this, the programs I've run already don't seem to recognize it as a problem (the scans suggested at the top of this forum seem to have found something, though, so that's promising.) I had it deleted at one point, but it came back within a few days. Has definitely slowed down browsing. I can't seem to find much about it online, it's not currently showing in Firefox but Chrome has 2 extensions (one is called BitSaver 5.1 and is removable but automatically comes back, the other is called RemoveTheAdApP 3.5 and has Enabled checked, and is greyed out. Underneath it says "Installed by enterprise policy." completely unremovable through browser from what I can tell). Like I said, practically nothing shows up in Google searches for those 2 things.

Thank you for any help!
 

Attachments

  • Addition.txt
    23.5 KB · Views: 243
  • aswMBR.txt
    2.4 KB · Views: 85
  • FRST.txt
    32.7 KB · Views: 130
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hi, and welcome to MalwareTips :)


Go to Control Panel and uninstall following:
- SK.Enhancer
- WinSpeed
- Winclean performap


Then...



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: 
Task: {A91A2E75-6234-4799-A548-03352F29AF97} - System32\Tasks\SK.Enhancer-S-161304646 => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION
c:\programdata\quickset
Task: C:\Windows\Tasks\SK.Enhancer-S-161304646.job => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION
AppInit_DLLs: C:\PROGRA~3\WinSpeed\WINSPE~1.DLL => C:\ProgramData\WinSpeed\WinSpeed_x64.dll [4197376 2013-12-28] ()
AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => C:\ProgramData\Winclean performap\Wincleanperformap_x64.dll [4391424 2013-12-29] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
C:\PROGRA~3\WinSpeed
C:\PROGRA~3\WINCLE~1
BHO: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.x64.dll ()
BHO: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.x64.dll ()
BHO-x32: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.dll ()
BHO-x32: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.dll ()
C:\ProgramData\RemoveTheAdApP
C:\ProgramData\UUteubeADReMeovualu
FF DefaultSearchEngine: Wowhead
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF SelectedSearchEngine: Wowhead
FF SearchPlugin: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\ynqg34zf.default\searchplugins\wowhead.xml
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR Extension: (RemoveTheAdApP) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\lppmokjogjfjfbhmmeehhhdcnmkpladh [2014-01-30]
CHR Extension: (BitSaver) - C:\ProgramData\mahbdlkfdnmfnndocdpbbfpkkfdodaan [2013-12-31]
R2 def8540c; C:\ProgramData\Winclean performap\WincleanperformapSvc.dll [177488 2013-12-29] ()
R2 f1f78e38; C:\ProgramData\WinSpeed\WinSpeedSvc.dll [180560 2013-12-28] ()
2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\UUteubeADReMeovualu
2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\RemoveTheAdApP
2014-01-30 19:52 - 2013-12-06 23:51 - 00000000 ____D () C:\ProgramData\965a642fcbaad410
2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\lppmokjogjfjfbhmmeehhhdcnmkpladh
2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\fnenkjcmnokljgpichcommfeghihhoae
C:\ProgramData\hash.dat
C:\Users\Zach\jagex_cl_runescape_LIVE.dat
C:\Users\Zach\jagex_runescape_preferences.dat
C:\Users\Zach\jagex_runescape_preferences2.dat
C:\Users\Zach\random.dat
C:\Users\Zach\AppData\Local\Temp\AskMrRobot-Setup-1.3.10.0.exe
C:\Users\Zach\AppData\Local\Temp\askToolbarInstaller.exe
C:\Users\Zach\AppData\Local\Temp\CmdLineExt02.dll
C:\Users\Zach\AppData\Local\Temp\devcon.exe
C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7370014.dll
C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7380014.dll
C:\Users\Zach\AppData\Local\Temp\dxwebsetup.exe
C:\Users\Zach\AppData\Local\Temp\GLFAC8C.tmp.ConduitEngineSetup.exe
C:\Users\Zach\AppData\Local\Temp\GomEncDnInstaller.exe
C:\Users\Zach\AppData\Local\Temp\ietA7F5.tmp.exe
C:\Users\Zach\AppData\Local\Temp\iTunesPluginWinSetup_3.0.4.0.exe
C:\Users\Zach\AppData\Local\Temp\iv_uninstall.exe
C:\Users\Zach\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Zach\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Zach\AppData\Local\Temp\mirc719.exe
C:\Users\Zach\AppData\Local\Temp\mirc722.exe
C:\Users\Zach\AppData\Local\Temp\Quarantine.exe
C:\Users\Zach\AppData\Local\Temp\SIntf16.dll
C:\Users\Zach\AppData\Local\Temp\SIntf32.dll
C:\Users\Zach\AppData\Local\Temp\SIntfNT.dll
C:\Users\Zach\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Zach\AppData\Local\Temp\tmchth.exe
C:\Users\Zach\AppData\Local\Temp\war3_Install.exe
C:\Users\Zach\AppData\Local\Temp\WmpPluginSetup_2.1.0.6.exe
cmd: ipconfig /flushdns
Folder: C:\Windows\system32\GroupPolicy
Folder: C:\Windows\SysWOW64\GroupPolicy

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...




Please download zoek.zip or zoek.rar by smeenk (
Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.
  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:

    Code: 
    createsrpoint; 
StandardSearch; 
emptyfolderscheck; 
installer-list; 
installedprogs; 
uninstall-list;
  • Click on
    Run%20Script%20by%20zoek.png
    button.
    Please wait until a logreport will open (this can be after reboot)
  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"
 
Z

zach

New Member
Thread author
Feb 14, 2014
5
SK Enhancer said something about it having already been removed, and asked if I wanted to remove it from the list. Said yes, was able to get rid of the other two. Should I continue through the other steps?
 
Z

zach

New Member
Thread author
Feb 14, 2014
5
Here are the 2 files.
 

Attachments

  • zoek-results.txt
    67.1 KB · Views: 138
  • Fixlog.txt
    10.7 KB · Views: 210
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
> Re-run zoek with this script and attach here fresh zoek log results.


Code: 
emptyfolderscheck;delete
emptyalltemp;
C:\Windows\system32\GroupPolicy\User;fs
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\S-161304646];r
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1C60D9BB-E5C5-3DEB-97E7-57505435E501}];r
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0E2E068B-E266-EAA6-DED1-C74744249D22}];r
autoclean;
 
Z

zach

New Member
Thread author
Feb 14, 2014
5
Seems to be gone, for now at least. The unremovable extension that was in Chrome is gone now.
 
TwinHeadedEagle

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Then we're done here, your PC is clean.



The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
checkmark.png
Remove disinfection tools
checkmark.png
Create registry backup
checkmark.png
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

Similar threads

C
    • Like
  • Locked
Help - Google Chrome Extension Virus reinstalls itself every hour
Replies
3
Views
863
Windows Malware Removal Help & Support
nasdaq
nasdaq
Gandalf_The_Grey
    • Like
    • +Reputation
Supermium Chrome browser clone, also for Windows 7
Replies
0
Views
2,181
Other Browsers
Gandalf_The_Grey
Gandalf_The_Grey
I
  • Locked
Apps Extension in Chrome Removal Assistance Request
Replies
3
Views
563
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top