Infection date and initial symptoms
8/27/2015. Chrome has been my primary browser for years. This morning, when I started chrome I noticed that I was not getting the web pages I was trying to load. Yahoo news and espn etc would take me to strange sites. I could not surf at all really. I've been fighting this all day 7am to now 7:45 pm so I'm pretty frustrated and may not remember things exactly. I had the same problem with FireFox. I can't remember if IE had the problem or not.

I have tried running several security products, two reported a few threats but claim to have cleaned them. The other products came up blank.

I deleted both Chrome & Firefox. I reset IE to defaults. After a reboot, I started IE and the "unable to connect to proxy server" error appeared. Using a second machine, I searched the web and most sites said I needed to remove the check from the "Use a proxy server for you LAN" checkbox in the LAN settings dialog . However, the checkbox on the problem PC is unchecked for me. On a whim I unchecked "Automatically detect settings" and IE was able to connect to the net. I am not seeing any problems with IE. Interestingly, on my working machine, the "Automatically detect settings" checkbox is checked.

I can not connect with chrome at all. Chrome reports the "unable to connect to proxy server" message.

With FireFox I can see my home page (google) and do a search for something, say ESPN, and the results page looks good. However, when I click on the espn.go.com link a second page is loaded with random virus removal ads and alerts etc. or some other very unrelated site.

I was away on vacation and my son was using the machine. I don't know which sites he was visiting but suspect that is how something was installed to my machine.

the first page renders, say my google search, but when I click a valid link I get redirected to
Current issues and symptoms
IE appears to be "clean", Firefox initially looks clean but after an initial page loads any subsequent page will be a link to randomness: Free Tarot Reading just popped up. Chrome is completely unusable.
Steps taken in order to remove the infection
I have tried running several security products, AdwCleaner, AVG, Microsoft Security Essentials, Kaspersky, Malwarebytes Anti-Malware, SuperAntiSpyware, Microsoft Malicious Software Removal Tool and Microsoft's Safety Scanner. AdwCleaner reported a lot of issues and I was hopeful that it found the problem. I let it do it's "cleaning". Now it doesn't find anything wrong.
Malewarebytes and AVG reported a few threats and claim to have cleaned them. The other products came up blank. I've done quick scans and "deep" scans.

I have attached the first two scans from AdwCleaner and the Quarantine log. Also the now clean report as well.

Steve62

New Member
I get an "Unable to connect to proxy server" when using Chrome and I get site redirects when using Firefox. Internet Explorer appears to work however, the LAN settings dialog has to have "Automatically detect settings" unchecked. Otherwise, IE will also report that it is unable to connect to proxy server. I have tried many virus and maleware removal tools. Some found issues and quarantined the offending files yet the problems persist. All the virus and maleware tools are reporting my system is clean.
 

Attachments

TwinHeadedEagle

Removal Expert
Verified
Staff member
Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:
  • At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
  • Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
  • If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
  • I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  • Please attach all report using
    button below. Doing this, you make it easier for me to analyze and fix your problem.

  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay for the repair.




Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.




You're missing Addition.txt report.
 

Steve62

New Member
Thanks for getting back to me. I have re-run the tool and uploaded the new reports. I had forgotten I installed uTorrent a few years ago so I uninstalled the uTorrent app.
 

Attachments

TwinHeadedEagle

Removal Expert
Verified
Staff member
Multiple Resident Protection warning!

Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:
  • Microsoft Security Essentials
  • AVG Free Antivirus 2015

Uninstallation procedure:
  • Press the
    + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for each uninstalled entry, right-click it and select Uninstall.
This should be done until any other steps will be taken.




Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    icon and select
    Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    Code:
    createsrpoint;
    autoclean;
    emptyalltemp;
    ipconfig /flushdns;b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.
 

Steve62

New Member
Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by Webster on Fri 08/28/2015 at 10:25:30.14.
Microsoft Windows 7 Home Premium 6.1.7601 Service Pack 1 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\Webster\Downloads\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

8/28/2015 10:26:08 AM Zoek.exe System Restore Point Created Successfully.

==== Empty Folders Check ======================

C:\PROGRA~2\MSXML 4.0 deleted successfully
C:\Program Files\Common Files\AV deleted successfully
C:\PROGRA~3\Synology deleted successfully
C:\PROGRA~3\WordPerfect Office X6 deleted successfully
C:\Users\Webster\AppData\Roaming\.# deleted successfully
C:\Users\Webster\AppData\Roaming\eBookPro6 deleted successfully
C:\Users\Webster\AppData\Roaming\Malwarebytes deleted successfully
C:\Users\Webster\AppData\Roaming\uTorrent deleted successfully
C:\Users\Webster\AppData\Local\EmieBrowserModeList deleted successfully
C:\Users\Webster\AppData\Local\EmieSiteList deleted successfully
C:\Users\Webster\AppData\Local\EmieUserList deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F2} deleted successfully
HKEY_USERS\S-1-5-21-2408832530-1597547110-1268851509-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F4E39681-15F8-4fda-B8A3-B5C98378F2F3} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================

C:\windows\SysNative\Tasks\AVG_SYS_TASK_0615pi_DELETE deleted
C:\windows\SysNative\Tasks\AVG_SYS_TASK_0615pi_VALID deleted
C:\Users\Webster\.android deleted
C:\PROGRA~2\GUT896C.tmp deleted
C:\PROGRA~2\GUM896B.tmp deleted
C:\awh6A65.tmp deleted
C:\awh8D3D.tmp deleted
C:\Users\Webster\FAP1067.tmp deleted
C:\Users\Webster\FAP1144.tmp deleted
C:\Users\Webster\FAP14E0.tmp deleted
C:\Users\Webster\FAP15AD.tmp deleted
C:\Users\Webster\FAP160E.tmp deleted
C:\Users\Webster\FAP1891.tmp deleted
C:\Users\Webster\FAP2437.tmp deleted
C:\Users\Webster\FAP370F.tmp deleted
C:\Users\Webster\FAP3CE6.tmp deleted
C:\Users\Webster\FAP3E12.tmp deleted
C:\Users\Webster\FAP4017.tmp deleted
C:\Users\Webster\FAP43D2.tmp deleted
C:\Users\Webster\FAP4877.tmp deleted
C:\Users\Webster\FAP48B.tmp deleted
C:\Users\Webster\FAP4A1F.tmp deleted
C:\Users\Webster\FAP4A8F.tmp deleted
C:\Users\Webster\FAP4C85.tmp deleted
C:\Users\Webster\FAP504F.tmp deleted
C:\Users\Webster\FAP513C.tmp deleted
C:\Users\Webster\FAP518D.tmp deleted
C:\Users\Webster\FAP5410.tmp deleted
C:\Users\Webster\FAP5490.tmp deleted
C:\Users\Webster\FAP54E1.tmp deleted
C:\Users\Webster\FAP564B.tmp deleted
C:\Users\Webster\FAP566.tmp deleted
C:\Users\Webster\FAP5969.tmp deleted
C:\Users\Webster\FAP6FE.tmp deleted
C:\Users\Webster\FAP75B3.tmp deleted
C:\Users\Webster\FAP781B.tmp deleted
C:\Users\Webster\FAPA963.tmp deleted
C:\Users\Webster\FAPAABE.tmp deleted
C:\Users\Webster\FAPAB0F.tmp deleted
C:\Users\Webster\FAPAC1B.tmp deleted
C:\Users\Webster\FAPAC9B.tmp deleted
C:\Users\Webster\FAPB574.tmp deleted
C:\Users\Webster\FAPB5E4.tmp deleted
C:\Users\Webster\FAPB625.tmp deleted
C:\Users\Webster\FAPB676.tmp deleted
C:\Users\Webster\FAPB706.tmp deleted
C:\Users\Webster\FAPB747.tmp deleted
C:\Users\Webster\FAPB798.tmp deleted
C:\Users\Webster\FAPB7E9.tmp deleted
C:\Users\Webster\FAPC0F1.tmp deleted
C:\Users\Webster\FAPC142.tmp deleted
C:\Users\Webster\FAPC193.tmp deleted
C:\Users\Webster\FAPC1D.tmp deleted
C:\Users\Webster\FAPC1E4.tmp deleted
C:\Users\Webster\FAPC3BB.tmp deleted
C:\Users\Webster\FAPC41B.tmp deleted
C:\Users\Webster\FAPC46C.tmp deleted
C:\Users\Webster\FAPC4BD.tmp deleted
C:\Users\Webster\FAPCB06.tmp deleted
C:\Users\Webster\FAPCEBF.tmp deleted
C:\Users\Webster\FAPCF4E.tmp deleted
C:\Users\Webster\FAPCFBE.tmp deleted
C:\Users\Webster\FAPD0A5.tmp deleted
C:\Users\Webster\FAPD0CB.tmp deleted
C:\Users\Webster\FAPD19.tmp deleted
C:\Users\Webster\FAPD1B1.tmp deleted
C:\Users\Webster\FAPD3D6.tmp deleted
C:\Users\Webster\FAPD55F.tmp deleted
C:\Users\Webster\FAPDA20.tmp deleted
C:\Users\Webster\FAPDA71.tmp deleted
C:\Users\Webster\FAPDAB0.tmp deleted
C:\Users\Webster\FAPDB3E.tmp deleted
C:\Users\Webster\FAPDBBC.tmp deleted
C:\Users\Webster\FAPDC2C.tmp deleted
C:\Users\Webster\FAPDC4D.tmp deleted
C:\Users\Webster\FAPDCF6.tmp deleted
C:\Users\Webster\FAPDEAE.tmp deleted
C:\Users\Webster\FAPE0A2.tmp deleted
C:\Users\Webster\FAPE18F.tmp deleted
C:\Users\Webster\FAPE3EF.tmp deleted
C:\Users\Webster\048298C9A4D3490B9FF9AB023A9238F3.TMP deleted
C:\PROGRA~3\B5idSLELD.dat deleted
C:\PROGRA~3\Package Cache deleted
C:\Users\Webster\AppData\Local\Installer deleted
C:\Users\Webster\AppData\Local\CrashRpt deleted
C:\Users\Webster\AppData\LocalLow\Company deleted
C:\windows\SysNative\GroupPolicy\Machine deleted
C:\windows\SysNative\GroupPolicy\User deleted
C:\windows\SysNative\GroupPolicy\gpt.ini deleted
"C:\Windows\Installer\b6829a4.msi" deleted
"C:\PROGRA~3\Avg_Update_0615pi\AVG-Secure-Search-Update_0615pi.exe" deleted
"C:\PROGRA~3\Avg_Update_0615pi" not deleted

==== Firefox Extensions ======================

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
- Firefox Security Update - %AppDir%\browser\extensions\jid1-sXWNoXABeFqKYg@jetpack.xpi

==== Firefox Plugins ======================

Profilepath: C:\Users\Webster\AppData\Roaming\Mozilla\Firefox\Profiles\5joc4z9t.default
87132527E2256CF6683A18C4EB34DD3B - C:\Windows\system32\Wat\npWatWeb.dll - Windows Activation Technologies
EC55112EDB2CE5BC2BFCACDB9C2150F4 - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_18_0_0_232.dll - Shockwave Flash


==== Chromium Look ======================

Google Chrome Version: 44.0.2403.157

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found[]
bpegkgagfojjbcpkihigfmkojdmmimdf - No path found[]
eeafbffkmccheohnooflcnppngmobeoe - No path found[]
ehgldbbpchgpcfagfpfjgoomddhccfgh - No path found[]
ellbonkjdmgdghkojcjmomekmjpdffde - No path found[]
fllgpcmelbfhcligbphaaplminjpbiad - No path found[]
hpjocjloojeicikiokfiekcdpojgfefc - No path found[]
jbolfgndggfhhpbnkgnpjkfhinclbigj - No path found[]
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found[]
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found[]
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found[]
oaobejgaaiojgggjojlcpbembaoajbmc - No path found[]

HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
bghejdcdajlenjngcknlkkoakmmjfanb - No path found[]
eeafbffkmccheohnooflcnppngmobeoe - No path found[]
ellbonkjdmgdghkojcjmomekmjpdffde - No path found[]
fllgpcmelbfhcligbphaaplminjpbiad - No path found[]
hpjocjloojeicikiokfiekcdpojgfefc - No path found[]
jlcgehabolcakkjhgmgpkagpolbjlhfa - No path found[]
jmnkgjdfgnjhmnopgmkcpigenfhgajdj - No path found[]
kfbhfniohjdklgcmbmemnpaimpdaikea - No path found[]
manaobgbdfpjjjnheogfghmjbikhjnlf - No path found[]
oaobejgaaiojgggjojlcpbembaoajbmc - No path found[]

Docs - Webster\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake

==== Chromium Startpages ======================

C:\Users\Webster\AppData\Local\Google\Chrome\User Data\Default\Preferences
{"account_tracker_service_last_update":"13085193461363442","browser":{"check_default_browser":true,"clear_lso_data_enabled":true,"last_clear_browsing_data_time":"13085196523901121","pepper_flash_settings_enabled":true,"window_placement":{"bottom":1023,"left":192,"maximized":false,"right":1336,"top":63,"work_area_bottom":1050,"work_area_left":0,"work_area_right":1920,"work_area_top":0}},"countryid_at_install":21843,"data_reduction":{"daily_original_length":[],"daily_original_length_via_data_reduction_proxy":[],"daily_original_length_with_data_reduction_proxy_enabled":[],"daily_received_length":[],"daily_received_length_https_with_data_reduction_proxy_enabled":[],"daily_received_length_long_bypass_with_data_reduction_proxy_enabled":[],"daily_received_length_short_bypass_with_data_reduction_proxy_enabled":[],"daily_received_length_unknown_with_data_reduction_proxy_enabled":[],"daily_received_length_via_data_reduction_proxy":[],"daily_received_length_with_data_reduction_proxy_enabled":[],"last_update_date":"0"},"default_apps_install_state":3,"devtools":{"adb_key":"MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC1C1+o0NLtI+cIv3smqSE/fetUuKA1xeMaiwTHu/5H/8W5peplYxmoMsF8nBNHerFGXS1A6c8ZlVSEkQe2K+Tf9FEZ/8dc6eRlIZivKVCnoG64pjzuxlT2O6doKbOPKAPdBejaKaNOLvmXrvl3+o5VmubxdahqDnb+x97V0EyM7A9DKB6vgfe64XY4Jtn0h1KAgp4IOWxzxZ68Np4jo+7IaRxyZnUhPIDvQEc/2nhuIjjopBvuZ/yJeBaEHE12tysriE+qNBoaUK+lvVjb4F9AOhdSdCJpitgF2R8cFY9NlMaT5W0Vwmkh57dyn5PNiyzem8XoDgfsNlIefDtA5nVjAgMBAAECggEAR4jJ8GMqpIamF//Iwjrbp0GyxZP5waWCGY/KgL0YOQyn7LXRCuSAU8RSTVFCEOE6wIm6gsafjQVDEupXOLTZR2A612IIPP8xvn/q23Mgqksq1Izi0JnPIkfp2q93gl4WQLPAEMuY+iB3gGajrbNzoAGHtOp/dABpJjyFIMigJqHINwTmpeYIEx7wCn/L9tZBQiDuNGtadofTkJ23CAFfg4uqJsI2g5sYyfzVJV5ga/Hr08pPIEB8exYWnrXmc3eLt5EKl8tw4O5D47S6QdIkcObyl5t+HQGJPFp0nYdzBItQrRhC6+Rm0EyRvraMZtoXhLk/wLJb7KsnQBqXpdq8gQKBgQDwBrL0Jqj2aI2vUOapOhjMdQTpd2udyzQMy/vBx3G0dhuAH6+dqwYtaeP1BYhl964Iq32YPZ5Ay9OZls+41hxaryst14z4VE1snVPDICDOw8/t0PdGPmmJfftpGCFlZrmWxJt4UtaW6SNhrz1lsYyRRepRBFpG0cfeU9O4RHUqIwKBgQDBF88QROxxA1PVrb66QdHE3fvKAU1PJiOEbfzrCKorpDeqoksmX83n1L/keHgdpovWkzKQ/d+kv//q16S7rwJAKGdaTbv0in9Dw8RtrfGBm2TRmmtp8x56GYpcnaRgq7RaIMK78dFKM8A7Ws5A6ymPJE6DE5bXXc3nOAycVGAbwQKBgBK3EwECeq4r3NBMqI+NXh2jCi0CCLwW+gn9ZbXoTS9a/i3xSooqqaKk3Qdf1RDOTR2T8YkLVOmMewVAwxWQbEmN2voKEo3SVO8hHUTbnnNAxVevsXgiqav0zMOXBBOZ/OKKley92MmPiBi3xzvEqkcxgmGqyzc2aDUnqBx4CgKtAoGBALgytC568Wqll/XAtq8LVsaMVENRlqQoZ71PBvRW4a6cCxZVl4bV4aCEDUIvwbXXSJK6/IPgCtYo6kLmz5jSzDzTzjQQ73nKHLlSKTHPuxC+YiCpREpfx/UGJD1RjJtDcNqBYgLUHajBUWHNr++x5YVNRzA3Ia/1JhSqHS2MN9qBAoGASQp2dAsC6GrtsmuNf/A7y8E1M1QAxGNDtc5oEnjrhf48opU3m58n9a29MmpJFCKAEJ7phkhwPWWpAoSqaqeDEELeQEusDiLgD1sktzb/t4P552AGvG56Tu3FIRUVaiZEDhUkE0T31qs8FhZi81tagttf6/9fuJ9Zr9CEF9TU8io=","port_forwarding_config":{"8080":"localhost:8080"},"port_forwarding_default_set":true},"dns_prefetching":{"host_referral_list":[2],"startup_list":[1,"SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!","https://clients2.google.com/"]},"download":{"directory_upgrade":true},"extensions":{"alerts":{"initialized":true},"autoupdate":{"last_check":"13085195205353833","next_check":"13085261145074493"},"chrome_url_overrides":{"bookmarks":["chrome-extension://eemcgdkfndhakfknompkggombfjjjeno/main.html"]},"last_chrome_version":"44.0.2403.157"},"http_original_content_length":"0","http_received_content_length":"0","intl":{"accept_languages":"en-US,en"},"invalidator":{"client_id":"BDc6pHg92zhI35eBi7Vc4A=="},"media":{"device_id_salt":"GBhToh84KoXo8xZvni+Smw=="},"net":{"http_server_properties":{"servers":{},"version":3}},"partition":{"per_host_zoom_levels":{"3155232537":{},"8073667879648486032":{}}},"plugins":{"migrated_to_pepper_flash":true,"plugins_list":[],"removed_old_component_pepper_flash_settings":true},"profile":{"avatar_bubble_tutorial_shown":2,"avatar_index":26,"content_settings":{"exceptions":{"app_banner":{},"auto_select_certificate":{},"automatic_downloads":{},"cookies":{},"fullscreen":{},"geolocation":{},"images":{},"javascript":{},"media_stream":{},"media_stream_camera":{},"media_stream_mic":{},"metro_switch_to_desktop":{},"midi_sysex":{},"mixed_script":{},"mouselock":{},"notifications":{},"plugins":{},"popups":{},"ppapi_broker":{},"protocol_handlers":{},"push_messaging":{},"ssl_cert_decisions":{}},"pattern_pairs":{},"pref_version":1},"created_by_version":"44.0.2403.157","exit_type":"Normal","exited_cleanly":true,"icon_version":3,"managed_user_id":"","migrated_content_settings_exceptions":true,"migrated_default_content_settings":true,"migrated_default_media_stream_content_settings":true,"name":"Person 1","per_host_zoom_levels":{}},"protection":{"macs":{}},"savefile":{"default_directory":"C:\\Users\\Webster\\Downloads"},"session":{"restore_on_startup_migrated":true,"startup_urls_migration_time":"13085193461310863"},"sync_promo":{"startup_count":8},"translate_blocked_languages":["en"],"translate_whitelists":{},"zerosuggest":{"cachedresults":""}}
l"],"from_bookmark":false,"from_webstore":false,"incognito_content_settings":[],"incognito_preferences":{},"initial_keybindings_set":true,"install_time":"13085193461358433","location":5,"manifest":{"background":{"page":"background.html","persistent":false},"externally_connectable":{"matches":["https://hangouts.google.com/*","https://talkgadget.google.com/*","https://*.talkgadget.google.com/*","https://plus.google.com/hangouts*","*://localhost/*"]},"incognito":"split","key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAQt2ZDdPfoSe/JI6ID5bgLHRCnCu9T36aYczmhw/tnv6QZB2I6WnOCMZXJZlRdqWc7w9jo4BWhYS50Vb4weMfh/I0On7VcRwJUgfAxW2cHB+EkmtI1v4v/OU24OqIa1Nmv9uRVeX0GjhQukdLNhAE6ACWooaf5kqKlCeK+1GOkQIDAQAB","manifest_version":2,"name":"Google+ Hangouts","permissions":["alarms","desktopCapture","processes","system.cpu","webrtcAudioPrivate","webrtcLoggingPrivate"],"version":"1.0"},"path":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\44.0.2403.157\\resources\\hangout_services","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":false,"was_installed_by_oem":false},"pjkljhegncpnkpknbcohdijeoejaedia":{"ack_external":true,"active_permissions":{"api":["notifications"],"manifest_permissions":[]},"app_launcher_ordinal":"y","commands":{},"content_settings":[],"creation_flags":137,"events":[],"from_bookmark":false,"from_webstore":true,"granted_permissions":{"api":["notifications"],"manifest_permissions":[]},"incognito_content_settings":[],"incognito_preferences":{},"install_time":"13085193464191697","location":1,"manifest":{"app":{"launch":{"container":"tab","web_url":"Gmail"},"urls":["*://mail.google.com/mail/ca"]},"current_locale":"en_US","default_locale":"en","description":"Fast, searchable email with less spam.","icons":{"128":"128.png"},"key":"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDCuGglK43iAz3J9BEYK/Mz6ZhloIMMDqQSAaf3vJt4eHbTbSDsu4WdQ9dQDRcKlg8nwQdePBt0C3PSUBtiSNSS37Z3qEGfS7LCju3h6pI1Yr9MQtxw+jUa7kXXIS09VV73pEFUT/F7c6Qe8L5ZxgAcBvXBh1Fie63qb02I9XQ/CQIDAQAB","name":"Gmail","options_page":"Gmail","permissions":["notifications"],"update_url":"http://clients2.google.com/service/update2/crx","version":"7"},"page_ordinal":"n","path":"pjkljhegncpnkpknbcohdijeoejaedia\\7_0","preferences":{},"regular_only_preferences":{},"state":1,"was_installed_by_default":true,"was_installed_by_oem":false}}},"pinned_tabs":[],"protection":{"macs":{"browser":{"show_home_button":"BFEF35D0899FEF1F984B7A520CD3E82922FD0E1B80196B794645D5E1A7E38BBE"},"default_search_provider":{"keyword":"C1A674A4A677265E72221B10BA6657732F88AF2E482976E1CE122317D3B1846C","name":"21DCE7E2608A561E353D115D26B034A962CAEBC4D398B6F6E7081E0ED5AEB48D","search_url":"3759CE87149A970B0D619E2FFB88BB3912877F18B126313B03F61BC03FA8A509"},"default_search_provider_data":{"template_url_data":"3D206DA3269C6ED231C4A7DA4FD2185EF3A1F415B64827A1DE08BD84B07910E0"},"extensions":{"settings":{"ahfgeienlihckogmohjhadlkjgocpleb":"33CA41771D183FB461430FD6AEE63609491768F4EA904CD284DDF5C19E7BFCB4","aohghmighlieiainnegkcijnfilokake":"3A7A71FD8D4D3588B682EC491807AA755ACEE3D5A713D8C7AC300D259D3F16EC","apdfllckaahabafndbhieahigkjlhalf":"0C0E7C2619CE42AD7B6C009A2A3381950C77E0F12C4048A06AAA1A6E144B54AA","bepbmhgboaologfdajaanbcjmnhjmhfn":"2FF1B3B784541F4728631550733EDBFBC3EBD672F976C91713F149CE3B6FF39E","blpcfgokakmgnkcojhhkbfbldkacnbeo":"F34540AC496298DB45E272E3641E49E2110C06AC6C7A4FA98EFC300D1851259E","coobgpohoikkiipiblmjeljniedjpjpf":"F43001CBBF4C953C6405148977A20024F635454D91622D26E6EA91AB1F966CC5","eemcgdkfndhakfknompkggombfjjjeno":"F421D28FFEEF5E446F34447D5A0A71AE9CE25ABB474F27A4BC452A1F7DBE9B2C","ennkphjdgehloodpbhlhldgbnhmacadg":"E7289CCDF1263DE133F00927E43624B3319CF88AAE319663ED58F256A77FC7FA","gfdkimpbcpahaombhbimeihdjnejgicl":"86E3308AFF7A9852392B35121799B11A5303B23BE8DA16A6DDA165DCCDBFF4DB","kmendfapggjehodndflmmgagdbamhnfd":"A369FD8355F32EE64C002588D4D61EC4804E03F98E0895603AF2537695A5376A","mfehgcgbbipciphmccgaenjidiccnmng":"2C7A6BC463682D9F05D6B5DF6328080611D79302004AF6A5B15CC2305AC80B04","mfffpogegjflfpflabcdkioaeobkgjik":"756820CABA420F936491B957B40597E0D8D810FFF8AC2957EE07A0EB22E422A9","mgndgikekgjfcpckkfioiadnlibdjbkf":"B20150DCEF767756FDB2091D8C25F2CC9EF38623FF12A8BF4D6427EC01C19C2D","mhjfbmdgcfjbbpaeojofohoefgiehjai":"143CA6AD41007D423C1E548E13A2D21BCCE7F80E1E12C55672194102E3208D68","nbpagnldghgfoolbancepceaanlmhfmd":"86DC9DD2D473A1BB094521EFBADEAA26156E9BB77E990C9881B629E4F76506F7","neajdppkdcdipfabeoofebfddakdcjhd":"C73AD6076B5BD3D98DF3EE4962E902953CE107DA500A0B7965E5DE42A6813D8E","nkeimhogjdpnpccoofpliimaahmaaome":"10257826478F8DAC72C77D9941763814B5763501B7D88E8B7C68325A9DC5C501","pjkljhegncpnkpknbcohdijeoejaedia":"10BA8534F4FF79F51A8C581F606A4F626B717E97633F1C626864E03F1F7C9D40"}},"google":{"services":{"account_id":"A81BFEB5CDE1F3470A91C79654DE8C0098F6DD12BC8594DC4F753F18F4B652A2","last_username":"BA8AFB245380BC398AFB1136B6CC2233144C4FC7335A7093DA8758DF207A75ED","username":"7590E2FBD80807E625977DE8DD481BEDCD1ABD9A322172D4604D0A00D2705FBB"}},"homepage":"C15F84B32E9B0FB16F67BE10275F8A8C8673DF07C3EAF62E45F815F56BF93A28","homepage_is_newtabpage":"8763FB7F5D4B37B709501DA4A171604CB8AEED074A3A2DE5A3BA54444203FAAB","pinned_tabs":"2553FE0978169947D8C817DDEE2B158A02A21B3F9359BB31D97EA8E3172051C6","prefs":{"preference_reset_time":"76654749A6DAD8CA6CC3600CF23EF0B76E8A83DBF56F7625A0A250B060ED9AB2"},"profile":{"reset_prompt_memento":"B9AADF9C2574C8E074FAFCCD4F394D3F5994D10F5668BF57EA2F99C8DAA9F11B"},"safebrowsing":{"incidents_sent":"68ED46209788A0B0BF178CD9EABEEC7BCA7637373F6E5105E5F6AD58C865C18D"},"search_provider_overrides":"944D9E7EDB68962654B887D0E7A546F3D970A68364BA501D1A734EE87E75935C","session":{"restore_on_startup":"E1722C5DC336447E34B1BF084331E1A524D90C05D43FCAF8657F61E4D2A47F6F","startup_urls":"6E2302EB8529ABD0CDC9FD6934F1926E2F39711838BAA56175476ACAE8E60D09"},"software_reporter":{"prompt_reason":"B3D22AC8D2CF7FB73769A9D275B37530486A861FF17E47FEFF7A65EC118BEBBC","prompt_seed":"FBA68A258E13CF5C79507EE65076E416EC8164923AD71877635EE706BBDF93F1","prompt_version":"A5CD5E8968FFC3888672A282E771EA767E712939DC96E332993301019E1CC591"},"sync":{"remaining_rollback_tries":"792EFAE438BCC640C8BFF92909F348F4A42420562E8AB03768B732C9822D3ED1"}},"super_mac":"2CCCA837F9236AC13600005CDD0425F1A85F70C7CC505EA26A1EE97ABE4FA02F"}}


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="Google"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="Google"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="{searchTerms} - Google Search"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="{searchTerms} - Bing"

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\4E30E037E0535E84D9E3349209D354D4 deleted successfully
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Google deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{730E03E4-350E-48E5-9D3E-4329903D454D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4E30E037E0535E84D9E3349209D354D4 deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Webster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5 emptied successfully
C:\Windows\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWoW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Windows\sysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully
C:\Users\Webster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9TR5QP1Q will be deleted at reboot
C:\Users\Webster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVSYJRH8 will be deleted at reboot

==== Empty FireFox Cache ======================

C:\Users\Webster\AppData\Local\Mozilla\Firefox\Profiles\4qrqpe9h.default\cache2 emptied successfully
C:\Users\Webster\AppData\Local\Mozilla\Firefox\Profiles\5joc4z9t.default\cache2 emptied successfully
C:\Users\Webster\AppData\Local\Mozilla\Firefox\Profiles\et4gu552.default\cache2 emptied successfully

==== Empty Chrome Cache ======================

C:\Users\Webster\AppData\Local\Opera Software\Opera Stable\Cache emptied successfully
C:\Users\Webster\AppData\Local\Google\Chrome\User Data\Default\Cache emptied successfully

==== Empty All Flash Cache ======================

Flash Cache Emptied Successfully

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================

C:\zoek_backup (files=171 folders=28 30816601 bytes)

==== Empty Temp Folders ======================

C:\Users\Default\AppData\Local\Temp emptied successfully
C:\Users\Default User\AppData\Local\Temp emptied successfully
C:\Users\UpdatusUser\AppData\Local\Temp emptied successfully
C:\Users\Webster\AppData\Local\Temp will be emptied at reboot
C:\Windows\serviceprofiles\networkservice\AppData\Local\Temp emptied successfully
C:\Windows\serviceprofiles\Localservice\AppData\Local\Temp emptied successfully
C:\Windows\Temp will be emptied at reboot

==== After Reboot ======================

==== Empty Temp Folders ======================

C:\Windows\Temp successfully emptied
C:\Users\Webster\AppData\Local\Temp successfully emptied

==== Empty Recycle Bin ======================

C:\$RECYCLE.BIN successfully emptied

==== Deleting Files / Folders ======================

"C:\PROGRA~3\Avg_Update_0615pi" not found
"C:\Users\Webster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9TR5QP1Q" not found
"C:\Users\Webster\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QVSYJRH8" deleted

==== EOF on Fri 08/28/2015 at 10:35:58.58 ======================
 

Attachments

Steve62

New Member
I just installed chrome. The good news is that it no longer says that it cannot connect to the proxy server and the Google search page renders. The disconcerting thing is that it reports that a new extension has been added called "EverSave". I had not done anything except install Chrome. So how did a new extension get installed?

In Chrome, I searched for Yahoo and the results page looks fine. I can click links and it behaves like I am used to. There feels like more ads than I'm used to but I use AdBlockPlus so I'm sure that changes my experience considerably. I will install that again.

I just installed FireFox as well. It also works. However, looking at its' list of extensions, the Firefox Security Update is disabled and says that the "Firefox security Update could not be verified for use in Firefox. Proceed with caution".

I typed in "ESPN" in Firefox's search control and the result page looked good. I clicked on the ESPN link and a second page opened with "Message to Our Visitors" in the URL and a message stating "Due to a recent hack attempt on our site, we're temporarily offline while we investigate this matter." It goes on for a few more sentences with a couple links and a Life Insurance Agents popup on the right side. Definitely not a page I want to click on anything. The espn.go.com page looks fine but there is a popup for Attorneys in the upper right corner blocking the top right quarter of the web page. I'm not familiar with Firefox so I can't say if this is just the "normal" amount of popup advertisements or something more troublesome. Does Firefox have an AdBlockPlus? Should I install that and see if it works better?

Bottom line. The three browsers appear to be working but FireFox and Chrome have a worrisome extension issue. Are you familiar with either issue?

My other question is can I / should I run the Zoek.exe on my other PC and my son's laptop? Is this an app that is good to run every month or so to keep the browser and pc from getting too much "sludge"?

Thanks
 

Steve62

New Member
I typed in "espn.go.com" in FireFox. The page rendered OK at first then it flickered and flashed like it was reloading the page a few times. At the end of that the URL had "SYSTEM WARNING" in it. A very ominous message played over my speakers that my hard drive will be erased. Unfortunately, I didn't hear the beginning as my speaker volume was very low and I only realized there was audio at the end. I've attached a screenshot of the final page.
 

Attachments

TwinHeadedEagle

Removal Expert
Verified
Staff member
Do not believe in these pop-ups. These are scammers trying to trick you.


Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
  • Right-click on
    icon and select
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please include their content into your next reply.
 

Steve62

New Member
Yea, I know they are. Obviously, there are some remnants of things left on my system from the uninstalls of chrome and firefox. How do I completely remove all traces of previous installs of them?

Thanks again for your help.
 

Attachments

TwinHeadedEagle

Removal Expert
Verified
Staff member
Uninstall Chrome

Export your bookmarks
Import or export bookmarks - Chrome Help


Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.


Click Start, copy in search %LOCALAPPDATA%\ and remove folder Google

Download Chrome
Chrome Browser




- Uninstall Firefox (Programs and Features)

Then

Click Start, copy in search %appdata%\ Then delete folder Mozilla
Click Start, copy in search %LOCALAPPDATA%\ delete folder Mozilla

Then delete following folders:

C:\Program Files (x86)\mozilla firefox
C:\Program Files (x86)\Mozilla Maintenance Service


Restart your PC.
Then install Firefox again.

Choose the independent browser
 

Steve62

New Member
I have removed Chrome and Firefox.

While looking through the AppData/Roaming I noticed a .bin file called appdataFr25. Doing a quick search this file is a known adware malware. I have deleted the file.

Under AppData\local there is a subdirectory Chromium which has a file called awesomium.log under Chromium\User Data\ which has 12 entries
[14976:18012:2045323554:INFO:extension_unpacker.cc(143)] Installing extension C:\Users\...\AppData\Local\Temp\scoped_dir29175\Freemake.Plugin.Chrome.crx
[8680:15884:2045323554:INFO:extension_unpacker.cc(143)] Installing extension C:\Users\...\AppData\Local\Temp\scoped_dir25761\Freemake.Plugin.Chrome.crx
[13048:13184:2045323570:INFO:extension_unpacker.cc(143)] Installing extension C:\Users\...\AppData\Local\Temp\scoped_dir18292\ChromeYoutubePlugin.crx
The remaining entries reference the ChromeYoutubePlugin.crx file

There are no bin type files so it looks like left over noise. Thought it might give you a clue.


I just found a directory C:\ProgramData\DataFile that has three files in it:
DV.exe
sysTech.txt
Update.xml

The .txt file is actually an executable.
The xml file contents is:

<?xml version="1.0" encoding="utf-8"?>
<temp>
<t>
<dbUrl>http://www.winpcoptimizer.com/betaone/updated.php</dbUrl>
<downloadUrl>ftp://www.gopready.com/httpdocs/BetaOne</downloadUrl>
<fileName>sysTech.txt</fileName>
<userId>goprekod</userId>
<password>meetravi@123</password>
<chkUpdatetimer>00:03:30</chkUpdatetimer>
<countUpdate>9</countUpdate>
<updateTimer>01:00:00</updateTimer>
<messageHeader>SECURITY ALERT!</messageHeader>
<messageContent>
Error Code 00XB10999. Windows Might Be Infected With Trojan Virus. Your Financial Information Might Be At Risk. Please Contact Emergency Virus Support Toll Free 1-800-596-1571
</messageContent>
<flagUpdate>1</flagUpdate>
<fileSize>195.5KB</fileSize>
<runStatus>1</runStatus>
<contact>Call Us: 1-800-982-1027</contact>
<uninstallUrl>http://www.winpcoptimizer.com/betaone/updated.php</uninstallUrl>
<contactPopUp>1 (800) 986-4730</contactPopUp>
<exeName>DV.exe</exeName>
<contactUpdater>1 (800) 786-5207</contactUpdater>
<updateUrl>http://www.winpcoptimizer.com/betaone/insertip.php</updateUrl>
<startTime>00:00</startTime>
<endTime>23:59</endTime>
<exceptionUrl>http://27.54.92.106:8090/WPO/GetLog</exceptionUrl>
<flagWpo>0</flagWpo>
<secondFileSize>200192</secondFileSize>
</t>
</temp>


I have renamed the DataFiles directory to xxxDataFiles so that I could send you the files if you want them. Now I will reboot.
 

Steve62

New Member
I think I may be clear of this malware. After deleting chrome & firefox, but before I reboot the system I used sysinternals autoruns and ccleaner and regedit to purge my system of all remnants of chrome & firefox and their extensions. Plus I found many registry entries that were very suspicious including one pointing to dv.exe so I deleted them. After the reboot and reinstalling chrome, chrome no longer warns me about an application adding an extension. Firefox now loads a page (espn.go.com) with a "normal" amount of ads and if I click on subsequent links they open without opening secondary tabs. Also, there is no longer the constant flickering while the page rerenders or whatever it was doing.

What a relief this is but what a waste of 3 - 4 days of our time.

I plan to look at my other two machines later today for signs they may have issues although I suspect if they did, then I would have seen the same browser behavior. Can I run the Zoek.exe on a Windows 8.1 machine?

Thanks for your help through this.
 

TwinHeadedEagle

Removal Expert
Verified
Staff member
I didn't hear about this file, usually filename could be random, so it sometimes isn't a strong indicator of possible infection.