Adware in Firefox/Chrome, think there's also a rootkit.

[zach]

Not really sure how to deal with this, the programs I've run already don't seem to recognize it as a problem (the scans suggested at the top of this forum seem to have found something, though, so that's promising.) I had it deleted at one point, but it came back within a few days. Has definitely slowed down browsing. I can't seem to find much about it online, it's not currently showing in Firefox but Chrome has 2 extensions (one is called BitSaver 5.1 and is removable but automatically comes back, the other is called RemoveTheAdApP 3.5 and has Enabled checked, and is greyed out. Underneath it says "Installed by enterprise policy." completely unremovable through browser from what I can tell). Like I said, practically nothing shows up in Google searches for those 2 things.

Thank you for any help!

 

[TwinHeadedEagle]

Hi, and welcome to MalwareTips


Go to Control Panel and uninstall following:
- SK.Enhancer
- WinSpeed
- Winclean performap


Then...



1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Task: {A91A2E75-6234-4799-A548-03352F29AF97} - System32\Tasks\SK.Enhancer-S-161304646 => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION
c:\programdata\quickset
Task: C:\Windows\Tasks\SK.Enhancer-S-161304646.job => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION
AppInit_DLLs: C:\PROGRA~3\WinSpeed\WINSPE~1.DLL => C:\ProgramData\WinSpeed\WinSpeed_x64.dll [4197376 2013-12-28] ()
AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => C:\ProgramData\Winclean performap\Wincleanperformap_x64.dll [4391424 2013-12-29] ()
GroupPolicy: Group Policy on Chrome detected <======= ATTENTION
C:\PROGRA~3\WinSpeed
C:\PROGRA~3\WINCLE~1
BHO: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.x64.dll ()
BHO: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.x64.dll ()
BHO-x32: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.dll ()
BHO-x32: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.dll ()
C:\ProgramData\RemoveTheAdApP
C:\ProgramData\UUteubeADReMeovualu
FF DefaultSearchEngine: Wowhead
FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");
FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");
FF SelectedSearchEngine: Wowhead
FF SearchPlugin: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\ynqg34zf.default\searchplugins\wowhead.xml
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR Extension: (RemoveTheAdApP) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\lppmokjogjfjfbhmmeehhhdcnmkpladh [2014-01-30]
CHR Extension: (BitSaver) - C:\ProgramData\mahbdlkfdnmfnndocdpbbfpkkfdodaan [2013-12-31]
R2 def8540c; C:\ProgramData\Winclean performap\WincleanperformapSvc.dll [177488 2013-12-29] ()
R2 f1f78e38; C:\ProgramData\WinSpeed\WinSpeedSvc.dll [180560 2013-12-28] ()
2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\UUteubeADReMeovualu
2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\RemoveTheAdApP
2014-01-30 19:52 - 2013-12-06 23:51 - 00000000 ____D () C:\ProgramData\965a642fcbaad410
2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\lppmokjogjfjfbhmmeehhhdcnmkpladh
2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\fnenkjcmnokljgpichcommfeghihhoae
C:\ProgramData\hash.dat
C:\Users\Zach\jagex_cl_runescape_LIVE.dat
C:\Users\Zach\jagex_runescape_preferences.dat
C:\Users\Zach\jagex_runescape_preferences2.dat
C:\Users\Zach\random.dat
C:\Users\Zach\AppData\Local\Temp\AskMrRobot-Setup-1.3.10.0.exe
C:\Users\Zach\AppData\Local\Temp\askToolbarInstaller.exe
C:\Users\Zach\AppData\Local\Temp\CmdLineExt02.dll
C:\Users\Zach\AppData\Local\Temp\devcon.exe
C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7370014.dll
C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7380014.dll
C:\Users\Zach\AppData\Local\Temp\dxwebsetup.exe
C:\Users\Zach\AppData\Local\Temp\GLFAC8C.tmp.ConduitEngineSetup.exe
C:\Users\Zach\AppData\Local\Temp\GomEncDnInstaller.exe
C:\Users\Zach\AppData\Local\Temp\ietA7F5.tmp.exe
C:\Users\Zach\AppData\Local\Temp\iTunesPluginWinSetup_3.0.4.0.exe
C:\Users\Zach\AppData\Local\Temp\iv_uninstall.exe
C:\Users\Zach\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe
C:\Users\Zach\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe
C:\Users\Zach\AppData\Local\Temp\mirc719.exe
C:\Users\Zach\AppData\Local\Temp\mirc722.exe
C:\Users\Zach\AppData\Local\Temp\Quarantine.exe
C:\Users\Zach\AppData\Local\Temp\SIntf16.dll
C:\Users\Zach\AppData\Local\Temp\SIntf32.dll
C:\Users\Zach\AppData\Local\Temp\SIntfNT.dll
C:\Users\Zach\AppData\Local\Temp\swt-win32-3349.dll
C:\Users\Zach\AppData\Local\Temp\tmchth.exe
C:\Users\Zach\AppData\Local\Temp\war3_Install.exe
C:\Users\Zach\AppData\Local\Temp\WmpPluginSetup_2.1.0.6.exe
cmd: ipconfig /flushdns
Folder: C:\Windows\system32\GroupPolicy
Folder: C:\Windows\SysWOW64\GroupPolicy

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.



Then...




Please download zoek.zip or zoek.rar by smeenk (

) from here or here and save it to your Desktop.
Unpack the archive...

• Close any open browsers
• Temporarily disable your AntiVirus program. (If necessary)
  If you are unsure how to do this please read this or this Instruction.
  
• Double click on zoek.exe to run the tool .
  Please wait while the tool does not start...
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:
  
  

  createsrpoint; 
  StandardSearch; 
  emptyfolderscheck; 
  installer-list; 
  installedprogs; 
  uninstall-list;

• Click on
  
  button.
  Please wait until a logreport will open (this can be after reboot)
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"

 

[zach]

SK Enhancer said something about it having already been removed, and asked if I wanted to remove it from the list. Said yes, was able to get rid of the other two. Should I continue through the other steps?

 

[TwinHeadedEagle]

Yes, please continue...

 

[zach]

Here are the 2 files.

 

[TwinHeadedEagle]

> Re-run zoek with this script and attach here fresh zoek log results.

emptyfolderscheck;delete
emptyalltemp;
C:\Windows\system32\GroupPolicy\User;fs
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\S-161304646];r
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1C60D9BB-E5C5-3DEB-97E7-57505435E501}];r
[-HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{0E2E068B-E266-EAA6-DED1-C74744249D22}];r
autoclean;

 

[zach]

2nd script.

 

[TwinHeadedEagle]

Tell me how is the situation now?

 

[zach]

Seems to be gone, for now at least. The unremovable extension that was in Chrome is gone now.

 

[TwinHeadedEagle]

Then we're done here, your PC is clean.



• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;

Remove disinfection tools

Create registry backup

Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.