Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Support
Windows Malware Removal Help & Support
Adware in Firefox/Chrome, think there's also a rootkit.
Message
<blockquote data-quote="TwinHeadedEagle" data-source="post: 163880" data-attributes="member: 6533"><p>Hi, and welcome to MalwareTips <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite109" alt=":)" title="Smile :)" loading="lazy" data-shortname=":)" /></p><p></p><p></p><p>Go to <strong>Control Panel </strong>and uninstall following:</p><p>- SK.Enhancer</p><p>- WinSpeed</p><p>- Winclean performap</p><p></p><p></p><p>Then...</p><p></p><p></p><p></p><p><strong>1.</strong> Open notepad and copy/paste the text present inside the code box below.</p><p><span style="font-size: 12px"><em>To do this highlight the contents of the box and right click on it. Paste this into the open notepad. </em></span></p><p><span style="font-size: 12px"><span style="color: red"><strong>NOTICE:</strong> This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system</span></span></p><p></p><p>[code]</p><p>Task: {A91A2E75-6234-4799-A548-03352F29AF97} - System32\Tasks\SK.Enhancer-S-161304646 => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION</p><p>c:\programdata\quickset</p><p>Task: C:\Windows\Tasks\SK.Enhancer-S-161304646.job => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION</p><p>AppInit_DLLs: C:\PROGRA~3\WinSpeed\WINSPE~1.DLL => C:\ProgramData\WinSpeed\WinSpeed_x64.dll [4197376 2013-12-28] ()</p><p>AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => C:\ProgramData\Winclean performap\Wincleanperformap_x64.dll [4391424 2013-12-29] ()</p><p>GroupPolicy: Group Policy on Chrome detected <======= ATTENTION</p><p>C:\PROGRA~3\WinSpeed</p><p>C:\PROGRA~3\WINCLE~1</p><p>BHO: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.x64.dll ()</p><p>BHO: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.x64.dll ()</p><p>BHO-x32: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.dll ()</p><p>BHO-x32: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.dll ()</p><p>C:\ProgramData\RemoveTheAdApP</p><p>C:\ProgramData\UUteubeADReMeovualu</p><p>FF DefaultSearchEngine: Wowhead</p><p>FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", "");</p><p>FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", "");</p><p>FF SelectedSearchEngine: Wowhead</p><p>FF SearchPlugin: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\ynqg34zf.default\searchplugins\wowhead.xml</p><p>CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION</p><p>CHR Extension: (RemoveTheAdApP) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\lppmokjogjfjfbhmmeehhhdcnmkpladh [2014-01-30]</p><p>CHR Extension: (BitSaver) - C:\ProgramData\mahbdlkfdnmfnndocdpbbfpkkfdodaan [2013-12-31]</p><p>R2 def8540c; C:\ProgramData\Winclean performap\WincleanperformapSvc.dll [177488 2013-12-29] ()</p><p>R2 f1f78e38; C:\ProgramData\WinSpeed\WinSpeedSvc.dll [180560 2013-12-28] ()</p><p>2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\UUteubeADReMeovualu</p><p>2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\RemoveTheAdApP</p><p>2014-01-30 19:52 - 2013-12-06 23:51 - 00000000 ____D () C:\ProgramData\965a642fcbaad410</p><p>2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\lppmokjogjfjfbhmmeehhhdcnmkpladh</p><p>2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\fnenkjcmnokljgpichcommfeghihhoae</p><p>C:\ProgramData\hash.dat</p><p>C:\Users\Zach\jagex_cl_runescape_LIVE.dat</p><p>C:\Users\Zach\jagex_runescape_preferences.dat</p><p>C:\Users\Zach\jagex_runescape_preferences2.dat</p><p>C:\Users\Zach\random.dat</p><p>C:\Users\Zach\AppData\Local\Temp\AskMrRobot-Setup-1.3.10.0.exe</p><p>C:\Users\Zach\AppData\Local\Temp\askToolbarInstaller.exe</p><p>C:\Users\Zach\AppData\Local\Temp\CmdLineExt02.dll</p><p>C:\Users\Zach\AppData\Local\Temp\devcon.exe</p><p>C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7370014.dll</p><p>C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7380014.dll</p><p>C:\Users\Zach\AppData\Local\Temp\dxwebsetup.exe</p><p>C:\Users\Zach\AppData\Local\Temp\GLFAC8C.tmp.ConduitEngineSetup.exe</p><p>C:\Users\Zach\AppData\Local\Temp\GomEncDnInstaller.exe</p><p>C:\Users\Zach\AppData\Local\Temp\ietA7F5.tmp.exe</p><p>C:\Users\Zach\AppData\Local\Temp\iTunesPluginWinSetup_3.0.4.0.exe</p><p>C:\Users\Zach\AppData\Local\Temp\iv_uninstall.exe</p><p>C:\Users\Zach\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe</p><p>C:\Users\Zach\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe</p><p>C:\Users\Zach\AppData\Local\Temp\mirc719.exe</p><p>C:\Users\Zach\AppData\Local\Temp\mirc722.exe</p><p>C:\Users\Zach\AppData\Local\Temp\Quarantine.exe</p><p>C:\Users\Zach\AppData\Local\Temp\SIntf16.dll</p><p>C:\Users\Zach\AppData\Local\Temp\SIntf32.dll</p><p>C:\Users\Zach\AppData\Local\Temp\SIntfNT.dll</p><p>C:\Users\Zach\AppData\Local\Temp\swt-win32-3349.dll</p><p>C:\Users\Zach\AppData\Local\Temp\tmchth.exe</p><p>C:\Users\Zach\AppData\Local\Temp\war3_Install.exe</p><p>C:\Users\Zach\AppData\Local\Temp\WmpPluginSetup_2.1.0.6.exe</p><p>cmd: ipconfig /flushdns</p><p>Folder: C:\Windows\system32\GroupPolicy</p><p>Folder: C:\Windows\SysWOW64\GroupPolicy</p><p>[/code]</p><p></p><p><strong>2.</strong> Save notepad as <u><strong>fixlist.txt</strong></u> to your Desktop.</p><p><em><span style="font-size: 12px"><u><strong><span style="color: #008000">NOTE:</span></strong></u> => It's important that both files, <strong>FRST</strong> and <strong>fixlist.txt</strong> are in the same location or the fix will not work.</span></em></p><p></p><p></p><p><strong>3.</strong> Run <strong><span style="color: #0000FF">FRST/FRST64</span></strong> and press the <strong>Fix</strong> button just once and wait.</p><p><em><span style="font-size: 12px">If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.</span></em></p><p></p><p>The tool will make a log on the Desktop (<strong>Fixlog.txt</strong>). Please attach it to your reply.</p><p><em><span style="font-size: 12px"><span style="color: #008000"><strong>Note: If the tool warned you about the outdated version please download and run the updated version.</strong></span></span></em></p><p></p><p></p><p></p><p>Then...</p><p></p><p></p><p></p><p></p><p>Please download <span style="color: blue"><strong>zoek.zip</strong></span> or <span style="color: blue"><strong>zoek.rar</strong></span> by <strong>smeenk</strong> (<img src="http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png" alt="" class="fr-fic fr-dii fr-draggable " style="" />) from <a href="http://hijackthis.nl/smeenk/" target="_blank"><strong><span style="color: green"><u>here</u></span></strong></a> or <a href="http://home.kpn.nl/stefsmeenk/zoek.exe" target="_blank"><strong><span style="color: green">here</span></strong></a> and save it to your <strong>Desktop</strong>.</p><p><em><span style="font-size: 12px">Unpack the archive...</span></em></p><ul> <li data-xf-list-type="ul">Close any open browsers</li> <li data-xf-list-type="ul"> Temporarily disable your <strong>AntiVirus</strong> program. (<em>If necessary</em>)<br /> <span style="font-size: 12px"> If you are unsure how to do this please read <a href="http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html" target="_blank"><strong><em>this</em></strong></a> or <a href="http://www.bleepingcomputer.com/forums/topic114351.html" target="_blank"><em><strong>this</strong></em></a> Instruction.</span><br /> </li> <li data-xf-list-type="ul">Double click on <strong>zoek.exe</strong> to run the tool .<br /> <em>Please wait while the tool does not start...</em><br /> </li> <li data-xf-list-type="ul">Copy the text present inside the code box below and paste it into the large window in the zoek tool:<br /> <br /> [code]createsrpoint; <br /> StandardSearch; <br /> emptyfolderscheck; <br /> installer-list; <br /> installedprogs; <br /> uninstall-list;[/code]</li> <li data-xf-list-type="ul"> Click on <img src="http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png" alt="" class="fr-fic fr-dii fr-draggable " style="" /> button.<br /> <em>Please wait until a logreport will open (this can be after reboot)</em><br /> </li> <li data-xf-list-type="ul">Save notepad to your Desktop and attach here <strong>zoek-results.log</strong><br /> <em><strong><span style="color: red">Note:</span></strong><span style="color: blue"> It will also create a log in the <strong>C:\ </strong>directory named "<strong>zoek-results.log</strong>"</span></em></li> </ul></blockquote><p></p>
[QUOTE="TwinHeadedEagle, post: 163880, member: 6533"] Hi, and welcome to MalwareTips :) Go to [B]Control Panel [/B]and uninstall following: - SK.Enhancer - WinSpeed - Winclean performap Then... [b]1.[/b] Open notepad and copy/paste the text present inside the code box below. [size=3][i]To do this highlight the contents of the box and right click on it. Paste this into the open notepad. [/i] [color=red][b]NOTICE:[/b] This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system[/color][/size] [code] Task: {A91A2E75-6234-4799-A548-03352F29AF97} - System32\Tasks\SK.Enhancer-S-161304646 => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION c:\programdata\quickset Task: C:\Windows\Tasks\SK.Enhancer-S-161304646.job => c:\programdata\quickset\sk.enhancer\SK.Enhancer.exe <==== ATTENTION AppInit_DLLs: C:\PROGRA~3\WinSpeed\WINSPE~1.DLL => C:\ProgramData\WinSpeed\WinSpeed_x64.dll [4197376 2013-12-28] () AppInit_DLLs: C:\PROGRA~3\WINCLE~1\WINCLE~2.DLL => C:\ProgramData\Winclean performap\Wincleanperformap_x64.dll [4391424 2013-12-29] () GroupPolicy: Group Policy on Chrome detected <======= ATTENTION C:\PROGRA~3\WinSpeed C:\PROGRA~3\WINCLE~1 BHO: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.x64.dll () BHO: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.x64.dll () BHO-x32: RemoveTheAdApP - {347D16B4-5F50-4F5B-AC27-A815925BE36E} - C:\ProgramData\RemoveTheAdApP\7.dll () BHO-x32: UUteubeADReMeovualu - {8A62C290-A416-2675-4B1B-400AA935681F} - C:\ProgramData\UUteubeADReMeovualu\Rt0NUZfl.dll () C:\ProgramData\RemoveTheAdApP C:\ProgramData\UUteubeADReMeovualu FF DefaultSearchEngine: Wowhead FF SearchEngineOrder.user_pref("browser.search.order.1", "");: user_pref("browser.search.order.1", ""); FF SearchEngineOrder.user_pref("browser.search.order.1,S", "");: user_pref("browser.search.order.1,S", ""); FF SelectedSearchEngine: Wowhead FF SearchPlugin: C:\Users\Zach\AppData\Roaming\Mozilla\Firefox\Profiles\ynqg34zf.default\searchplugins\wowhead.xml CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION CHR Extension: (RemoveTheAdApP) - C:\Users\Zach\AppData\Local\Google\Chrome\User Data\Default\Extensions\lppmokjogjfjfbhmmeehhhdcnmkpladh [2014-01-30] CHR Extension: (BitSaver) - C:\ProgramData\mahbdlkfdnmfnndocdpbbfpkkfdodaan [2013-12-31] R2 def8540c; C:\ProgramData\Winclean performap\WincleanperformapSvc.dll [177488 2013-12-29] () R2 f1f78e38; C:\ProgramData\WinSpeed\WinSpeedSvc.dll [180560 2013-12-28] () 2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\UUteubeADReMeovualu 2014-01-30 19:52 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\RemoveTheAdApP 2014-01-30 19:52 - 2013-12-06 23:51 - 00000000 ____D () C:\ProgramData\965a642fcbaad410 2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\lppmokjogjfjfbhmmeehhhdcnmkpladh 2014-01-30 19:51 - 2014-01-30 19:51 - 00000000 ____D () C:\ProgramData\fnenkjcmnokljgpichcommfeghihhoae C:\ProgramData\hash.dat C:\Users\Zach\jagex_cl_runescape_LIVE.dat C:\Users\Zach\jagex_runescape_preferences.dat C:\Users\Zach\jagex_runescape_preferences2.dat C:\Users\Zach\random.dat C:\Users\Zach\AppData\Local\Temp\AskMrRobot-Setup-1.3.10.0.exe C:\Users\Zach\AppData\Local\Temp\askToolbarInstaller.exe C:\Users\Zach\AppData\Local\Temp\CmdLineExt02.dll C:\Users\Zach\AppData\Local\Temp\devcon.exe C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7370014.dll C:\Users\Zach\AppData\Local\Temp\drm_dyndata_7380014.dll C:\Users\Zach\AppData\Local\Temp\dxwebsetup.exe C:\Users\Zach\AppData\Local\Temp\GLFAC8C.tmp.ConduitEngineSetup.exe C:\Users\Zach\AppData\Local\Temp\GomEncDnInstaller.exe C:\Users\Zach\AppData\Local\Temp\ietA7F5.tmp.exe C:\Users\Zach\AppData\Local\Temp\iTunesPluginWinSetup_3.0.4.0.exe C:\Users\Zach\AppData\Local\Temp\iv_uninstall.exe C:\Users\Zach\AppData\Local\Temp\jre-6u24-windows-i586-iftw-rv.exe C:\Users\Zach\AppData\Local\Temp\jre-6u33-windows-i586-iftw.exe C:\Users\Zach\AppData\Local\Temp\mirc719.exe C:\Users\Zach\AppData\Local\Temp\mirc722.exe C:\Users\Zach\AppData\Local\Temp\Quarantine.exe C:\Users\Zach\AppData\Local\Temp\SIntf16.dll C:\Users\Zach\AppData\Local\Temp\SIntf32.dll C:\Users\Zach\AppData\Local\Temp\SIntfNT.dll C:\Users\Zach\AppData\Local\Temp\swt-win32-3349.dll C:\Users\Zach\AppData\Local\Temp\tmchth.exe C:\Users\Zach\AppData\Local\Temp\war3_Install.exe C:\Users\Zach\AppData\Local\Temp\WmpPluginSetup_2.1.0.6.exe cmd: ipconfig /flushdns Folder: C:\Windows\system32\GroupPolicy Folder: C:\Windows\SysWOW64\GroupPolicy [/code] [b]2.[/b] Save notepad as [u][b]fixlist.txt[/b][/u] to your Desktop. [i][size=3][u][b][color=#008000]NOTE:[/color][/b][/u] => It's important that both files, [b]FRST[/b] and [b]fixlist.txt[/b] are in the same location or the fix will not work.[/size][/i] [b]3.[/b] Run [b][color=#0000FF]FRST/FRST64[/color][/b] and press the [b]Fix[/b] button just once and wait. [i][size=3]If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.[/size][/i] The tool will make a log on the Desktop ([b]Fixlog.txt[/b]). Please attach it to your reply. [i][size=3][color=#008000][b]Note: If the tool warned you about the outdated version please download and run the updated version.[/b][/color][/size][/i] Then... Please download [color=blue][b]zoek.zip[/b][/color] or [color=blue][b]zoek.rar[/b][/color] by [b]smeenk[/b] ([img]http://www.mcshield.net/personal/magna86/Images/Zoek_icon.png[/img]) from [url=http://hijackthis.nl/smeenk/][b][color=green][u]here[/u][/color][/b][/url] or [url=http://home.kpn.nl/stefsmeenk/zoek.exe][b][color=green]here[/color][/b][/url] and save it to your [b]Desktop[/b]. [i][size=3]Unpack the archive...[/size][/i] [list] [*]Close any open browsers [*] Temporarily disable your [b]AntiVirus[/b] program. ([i]If necessary[/i]) [size=3] If you are unsure how to do this please read [url=http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html][b][i]this[/i][/b][/url] or [url=http://www.bleepingcomputer.com/forums/topic114351.html][i][b]this[/b][/i][/url] Instruction.[/size] [*]Double click on [b]zoek.exe[/b] to run the tool . [i]Please wait while the tool does not start...[/i] [*]Copy the text present inside the code box below and paste it into the large window in the zoek tool: [code]createsrpoint; StandardSearch; emptyfolderscheck; installer-list; installedprogs; uninstall-list;[/code][*] Click on [img]http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png[/img] button. [i]Please wait until a logreport will open (this can be after reboot)[/i] [*]Save notepad to your Desktop and attach here [b]zoek-results.log[/b] [i][b][color=red]Note:[/color][/b][color=blue] It will also create a log in the [b]C:\ [/b]directory named "[b]zoek-results.log[/b]"[/color][/i][/list] [/QUOTE]
Insert quotes…
Verification
Post reply
Top