Coupondropdown & fake surveys

[ljpope]

I keep getting annoying picture ads popping up on web pages and facebook pages. On web pages words get highlighted with links to ads.
The ads say they are from coupondropdown. I have followed all the uninstall advice and can find no coupondropdown program on my machine. Malwarebytes and Norton are not identifying any threats and yet the ads are still appearing (annoying wobbling picture ads).
Also every so often when browsing a new window opens up with a survey in which Norton tells me is a fake survey but I can't seem to stop it from happening.
Have even tried a system reset.
Can anyone help me please????

 

[Fiery]

Hi and welcome to MalwareTips!

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

Afterwards, please do a new OTL scan.

 

[ljpope]

Hi and welcome to MalwareTips!

Please download Junkware Removal Tool to your desktop from here

• Turn off your antivirus software now to avoid potential conflicts
• Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
• The tool will open and start scanning your system
• Please be patient as this can take a while to complete depending on your system's specifications
• On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
• Post the contents of JRT.txt into your next reply

Afterwards, please do a new OTL scan.

Hi Fiery, have followed your instructions and attach the JRT file and the new OTL file.
really hope you can help as am pulling my hair out - every time I click a link I now get a 'survey' and some of the drop down ads are adult in nature and I can't get rid of them. Especially upsetting when they appear in a message from a friend whose husband has just died :-(

 

[Fiery]

No worries, we will remove it


Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {1392b8d2-5c05-419f-a8f6-b9f15a596612}:3.3.3.2
FF - prefs.js..extensions.enabledItems: ytvdw@pgport.com:1.1.6
[2010/05/03 20:25:32 | 000,004,096 | -H-- | C] () -- C:\Users\Pope\AppData\Local\keyfile3.drm
[2011/05/02 18:04:11 | 000,148,992 | ---- | C] () -- C:\Users\Pope\10131603.dot
[2011/05/02 18:04:22 | 000,000,388 | ---- | C] () -- C:\Users\Pope\content.inf
[2011/05/18 22:28:12 | 000,001,940 | ---- | C] () -- C:\Users\Pope\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

 

[ljpope]

No worries, we will remove it


Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {1392b8d2-5c05-419f-a8f6-b9f15a596612}:3.3.3.2
FF - prefs.js..extensions.enabledItems: ytvdw@pgport.com:1.1.6
[2010/05/03 20:25:32 | 000,004,096 | -H-- | C] () -- C:\Users\Pope\AppData\Local\keyfile3.drm
[2011/05/02 18:04:11 | 000,148,992 | ---- | C] () -- C:\Users\Pope\10131603.dot
[2011/05/02 18:04:22 | 000,000,388 | ---- | C] () -- C:\Users\Pope\content.inf
[2011/05/18 22:28:12 | 000,001,940 | ---- | C] () -- C:\Users\Pope\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

------------------------------------------------------------
Hi Fiery have completed part 1 above...

here is the roguekiller report and attached is the OTL report created after the reboot.

Will now do part two...

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Pope [Admin rights]
Mode : Remove -- Date : 05/02/2013 18:01:37
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] MusicManager.exe -- C:\Users\Pope\AppData\Local\Programs\Google\MusicManager\MusicManager.exe [-] -> KILLED [TermProc]

¤¤¤ Registry Entries : 9 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : MusicManager ("C:\Users\Pope\AppData\Local\Programs\Google\MusicManager\MusicManager.exe") [-] -> DELETED
[TASK][SUSP PATH] FGRun : C:\Users\Pope\AppData\Roaming\pack.exe [x] -> DELETED
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> DELETED
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> DELETED
[HJ] HKCU\[...]\Internet Settings : WarnOnHTTPSToHTTPRedirect (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST350041 8AS SATA Disk Device +++++
--- User ---
[MBR] 97b8718ff1dfb5079670f30318e2fdaf
[BSP] 6685aaa9b48161cf64416be67f1976b3 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 206848 | Size: 462268 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 946931712 | Size: 14570 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_05022013_02d1801.txt >>
RKreport[1]_S_05022013_02d1800.txt ; RKreport[2]_D_05022013_02d1801.txt

 

[ljpope]

No worries, we will remove it


Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {1392b8d2-5c05-419f-a8f6-b9f15a596612}:3.3.3.2
FF - prefs.js..extensions.enabledItems: ytvdw@pgport.com:1.1.6
[2010/05/03 20:25:32 | 000,004,096 | -H-- | C] () -- C:\Users\Pope\AppData\Local\keyfile3.drm
[2011/05/02 18:04:11 | 000,148,992 | ---- | C] () -- C:\Users\Pope\10131603.dot
[2011/05/02 18:04:22 | 000,000,388 | ---- | C] () -- C:\Users\Pope\content.inf
[2011/05/18 22:28:12 | 000,001,940 | ---- | C] () -- C:\Users\Pope\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

---------------------

Ok have now completed part 2 - Malwarebytes Anti-Rootkit but it is telling me that no malware has been found. have attached the system log but the other log doesn't appear to have been created

 

[ljpope]

No worries, we will remove it


Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local
FF - prefs.js..extensions.enabledItems: engine@conduit.com:3.3.3.2
FF - prefs.js..extensions.enabledItems: {1392b8d2-5c05-419f-a8f6-b9f15a596612}:3.3.3.2
FF - prefs.js..extensions.enabledItems: ytvdw@pgport.com:1.1.6
[2010/05/03 20:25:32 | 000,004,096 | -H-- | C] () -- C:\Users\Pope\AppData\Local\keyfile3.drm
[2011/05/02 18:04:11 | 000,148,992 | ---- | C] () -- C:\Users\Pope\10131603.dot
[2011/05/02 18:04:22 | 000,000,388 | ---- | C] () -- C:\Users\Pope\content.inf
[2011/05/18 22:28:12 | 000,001,940 | ---- | C] () -- C:\Users\Pope\AppData\Local\{96C87F53-AC72-4604-A9CC-186A49F17F3C}.ini

:Files
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]

Then click Run Fix. Let your PC reboot to normal mode. A new log will be created automatically, post the content in the next reply.

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

Download Malwarebytes Anti-Rootkit from here to your Desktop

• Unzip the contents to a folder on your Desktop.
• Open the folder where the contents were unzipped and run mbar.exe
• Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
• Make sure there is a check next to Create Restore Point and click the Cleanup button to remove any threats. Reboot if prompted to do so.
• After the reboot, perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If there are threats, click Cleanup once more and reboot.
• When done, please post the two logs in the MBAR folder(mbar-log.txt and system-log.txt)

---------------------

Ok have now completed part 2 - Malwarebytes Anti-Rootkit but it is telling me that no malware has been found. have attached the system log but the other log doesn't appear to have been created

------------------
Hi Fiery - I hope I am not jumping the gun here but I think something has done the trick. Just been onto my website and .... no pop up ads!!!!!
Malwarebytes stopped something from happening while I was browsing so hopefully that was the survey thing.
Have everything crossed that this problem is solved and I can't thank you enough for your help.

All being well my main concern now is to stop it from re-occurring - and as I'm not sure how it happened (I though all my downloads were from trusted sites) shall just have to be extra vigilant.

Thanks again. Should I keep all these anti malware tools on my system?
ljp

 

[Fiery]

Great!

Let's do one more scan to make sure everything is cleared. Then I will make some final suggestions for you to prevent this from happening again

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!

 

[ljpope]

Great!

Let's do one more scan to make sure everything is cleared. Then I will make some final suggestions for you to prevent this from happening again

Run Eset NOD32 Online AntiVirus here

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• When the scan is done, if it shows a screen that says "Threats found!", then click "List of found threats", and then click "Export to text file..."
• Save that text file on your desktop. Copy and paste the contents of that log in your next reply to this topic.
• The log can also be found in logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt

Download Security Check by screen317 from here or here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A notepad document should open automatically called checkup.txt.
• Please post the contents of that document in your next reply. Please do not attach it!

------------------------------
These are the results of the ESET Scan. Will not be able to coplete this process now until Sunday so will post next scan results then.

C:\Users\Pope\Downloads\applianflv.exe a variant of Win32/InstallIQ application
C:\Users\Pope\Downloads\freecorder7-setup.exe multiple threats
C:\Users\Pope\Downloads\setup (2).exe a variant of Win32/AirAdInstaller.A application
C:\Users\Pope\Downloads\Setup (4).exe a variant of Win32/Adware.iBryte.G application
C:\Users\Pope\Downloads\Update (1).exe a variant of Win32/Adware.iBryte.G application
C:\Users\Pope\Downloads\Update.exe a variant of Win32/Adware.iBryte.G application
C:\Users\Pope\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application
C:\Users\Pope\Pictures\Downloads\vlcmediaplayer-setup.exe Win32/DownloadAdmin.A.Gen application

 

[Fiery]

That is fine, you don't have to run Security Check.

If you are no longer experiencing any other issues, your PC is now clean!

Double click on OTL to run it

• Click on the Cleanup button at the top.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes
• This will remove itself and other tools we may have used.

Also, open adwCleaner and click Uninstall

---

Now that your PC is clean, I recommend you to create a new System Restore point then purge the old ones after.

For Windows 7
Create a restore point
Delete all but the most recent restore point - Click the Delete all but the most recent restore point link

---

Keep your system updated
Please go to control panel and uninstall the following:

Java(TM) 6 Update 31


Keeping your programs (especially Adobe and Java products) updated is essential. Outdated programs make your PC more vulnerable to future malware threats. To help you:

• Download and install Update Checker. It will notify you if any of your programs require an update.
• Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office product bugs and vulnerabilities.
• Please ensure you update your system regularly and have automatic updates on. You can learn how to turn Automatic Updates on here

---

Other steps that you may want to do to further protect your system/files:

• Sandboxie - "Quarantines" your browser so anything that you do in it will be isolated from your system.
• Backup important files regulary to an external hard-drive or USB

Here are only a few suggestions that will improve your system security. Should you wish to allow us to make full recommendations and set your PC up with maximum security, please start a thread here. Our community of PC enthusiasts and experts will give you feedback and help you secure your system from future malware infections.

Should you want to try a product but don't know how it performs, here is a list of current reviews to help you decide.

---

Internet Explorer may be the most popular browser but it's definitely not the most secure browser. Consider using other browsers with addition add-ons to safeguard your system while browsing the internet.

Firefox is a more secure, faster browser than Internet Explorer. Firefox contains less vulnerabilities, reducing the risk of drive-by downloads. In addition, you can add the following add-ons to increase security.

• KeyScramber - Encrypts your keystrokes to protect you against keyloggers that steals personal & banking information
• AdBlock - Disable/blocks advertisements on websites so you won't accidentally click on a malicious ad.
• NoScript - Disables Flash & Java contents to avoid exploits or drive-by attacks
• Web of Trust - Shows the website rating by other users and blocks dangerous and poor-rated sites

Google Chrome is another good browser that is faster and more secure than Internet Explorer by having a sandbox feature. Additionally, you can add the following add-on to Chrome to heighten security.

• AdBlock

---

Lastly, it is important to perform system maintenance on a regular basis. Here are a few tools and on-demand scanners that you should keep & use every 1-2 weeks to keep your system healthy.

• CCleaner
• Malwarebytes Anti-Malware

Other than that, stay safe out there! If you have any other questions or concerns, feel free to ask

My virus removal help is always free. Should you wish to show your appreciation via a donation, it will be much appreciated.
​