findwide.com

[kuttus]

is it happening only in Mozilla Firefox?

 

[Nan Lyn]

It happens in Internet Explorer too.

 

[kuttus]

STEP 1: Run a scan with OTL by OldTimer
<ol><li>Download the OTL utility using the below link :
<><a title="External link" href="http://oldtimer.geekstogo.com/OTL.exe" rel="nofollow external">OTL DOWNLOAD LINK</a> <em>(This link will automatically download OTL on your computer)</em></></li>
<li>Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL-logo.png" alt="" title="OTL-logo" width="106" height="118" class="alignnone size-full wp-image-3946" /></li>
<li>When the window appears, <>underneath Output</> at the top change it to <>Minimal Output</>.</li>
<li>Check the boxes beside <>LOP Check</> and <>Purity Check</>.</li>
<li>Click the<> Run Scan</> button.
<img src="http://malwaretips.com/blogs/wp-content/uploads/2012/07/OTL.png" alt="" title="OTL" width="658" height="584" class="alignnone size-full wp-image-3945" /></li>
<li>When the scan completes, it will open two notepad windows. <>OTL.Txt</> and <>Extras.Txt</>. These are saved in the same location as OTL.
<>Please post this 2 logs in your first reply.</>.</li></ol>

Settings You need to Select in OTL

1. Click the Scan All Users checkbox.
2. Change Standard Registry to All.
3. Check the boxes beside LOP Check and Purity Check.

<em>Note: If OTL.exe will not run, it may be blocked by malware. Try these alternate versions: <a title="External link" href="http://www.itxassociates.com/OT-Tools/OTL.scr" rel="nofollow external">OTL.scr</a>, or <a title="External link" href="http://oldtimer.geekstogo.com/OTL.com" rel="nofollow external">OTL.com</a>.</em>

<hr />

 

[Nan Lyn]

I ran OTL.exe. There was only one screen that came up. No extras. I downloaded OTL.scr and rand it again and I still only was able to get one output file. I have attached it. OTL.txt

 

[kuttus]

STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL

:OTL
PRC - [2013/11/30 10:12:43 | 000,143,488 | ---- | M] () -- c:\Program Files (x86)\Optimizer Pro\OptProCrash.exe
MOD - [2013/10/29 14:08:06 | 002,869,720 | ---- | M] () -- c:\Program Files (x86)\Optimizer Pro\OptProCrash.dll
SRV - [2013/11/30 10:12:43 | 000,143,488 | ---- | M] () [Auto | Running] -- c:\Program Files (x86)\Optimizer Pro\OptProCrash.exe -- (70e6ca8c)
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{087a7792-10bb-455d-bd55-427d589addf5}: "URL" = http://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=YNxdm008YYus&ptnrS=YNxdm008YYus&ptb=D456CC08-105B-415B-8E74-A211372A65FC&ind=2012070215&n=77edc147&psa=&st=sb&searchfor={searchTerms}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{5655CBDB-F2CF-4033-AEE7-FBD88101C152}: "URL" = http://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}: "URL" = http://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=http://www.ebay.com/sch/i.html?_nkw={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =  [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE - HKLM\..\SearchScopes,DefaultScope = {33BB0A4E-99AF-4226-BDF6-49120163DE86}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}: "URL" = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.nationzoom.com/web/?type=ds&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903&q={searchTerms}
IE - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.nationzoom.com/?type=hp&ts=1385827933&from=tugs&uid=SAMSUNGXMZMPA128HMFU-000H1_S0TENEAC232903
IE - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
FF - prefs.js..browser.search.defaultenginename: "nationzoom"
FF - prefs.js..browser.search.selectedEngine: "nationzoom"
FF - prefs.js..extensions.enabledAddons: toolbar_AVIRA-V7%40apn.ask.com:25.62074
FF - prefs.js..extensions.enabledAddons: 509508ef-0b14-4616-a557-0d58601be33d%40c4a581e9-0ea6-46db-a185-58e021ee138c.com:0.93.103
FF - prefs.js..extensions.enabledAddons: %7Ba0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7%7D:20131118
FF - prefs.js..extensions.enabledAddons: %7B73a6fe31-595d-460b-a920-fcc0f8843232%7D:2.6.8.6
FF - user.js - File not found
[2013/11/30 13:44:24 | 000,000,000 | ---D | M] (WOT) -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
[2013/11/30 12:52:03 | 000,000,000 | ---D | M] ("Plus-HD-1.3") -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com
[2013/11/30 12:52:03 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\509508ef-0b14-4616-a557-0d58601be33d@c4a581e9-0ea6-46db-a185-58e021ee138c.com\extensionData
[2013/11/30 11:30:28 | 001,046,333 | ---- | M] () (No name found) -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\toolbar_AVIRA-V7@apn.ask.com.xpi
[2013/11/30 13:36:00 | 000,534,885 | ---- | M] () (No name found) -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
[2013/11/30 13:35:05 | 000,915,554 | ---- | M] () (No name found) -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/11/30 11:30:27 | 000,002,547 | ---- | M] () -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\searchplugins\ask-search.xml
[2013/11/30 12:46:33 | 000,000,975 | ---- | M] () -- C:\Users\Nancy\AppData\Roaming\Mozilla\Firefox\Profiles\60pd4yb2.default-1385012177941\searchplugins\conduit-search.xml
[2013/11/24 23:40:07 | 000,000,000 | ---D | M] (TrueSuite Website Logon) -- C:\Program Files (x86)\Mozilla Firefox\extensions\websitelogon@truesuite.com
[2013/11/30 10:12:22 | 000,000,570 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\nationzoom.xml
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake\0.0.0.6_0\
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\debkinhcgejcbfgjiaalomcmkedjmiaa\1.0_0\
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhlmghjmomaoodfgjeikphfdljhpcpkl\1.25.103_0\crossrider
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\hhlmghjmomaoodfgjeikphfdljhpcpkl\1.25.103_0\
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\idhngdhcfkoamngbedgpaokgjbnpdiji\1.3.2_0\
CHR - Extension: No name found = C:\Users\Nancy\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.5.0_0\
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - {1ED267F6-00F6-457A-90A2-9E212D3F0B0E} - No CLSID value found.
O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {1ED267F6-00F6-457A-90A2-9E212D3F0B0E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\..\Toolbar\WebBrowser: (no name) - {1ED267F6-00F6-457A-90A2-9E212D3F0B0E} - No CLSID value found.
O3 - HKU\S-1-5-21-2324637534-1169219344-757663493-1001\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
[2013/11/30 11:28:39 | 000,000,000 | ---D | C] -- C:\ProgramData\AskPartnerNetwork
[2013/11/30 11:28:39 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\AskPartnerNetwork
[2013/11/30 10:32:07 | 000,000,000 | ---D | C] -- C:\Users\Nancy\AppData\Local\SearchProtect
[2013/11/30 10:32:07 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SearchProtect
[2013/11/30 10:12:56 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\MyPC Backup
[2013/11/30 10:12:53 | 000,000,000 | ---D | C] -- C:\Users\Nancy\Documents\Optimizer Pro
[2013/11/30 10:12:28 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Optimizer Pro
[2013/11/06 16:58:03 | 000,000,000 | ---D | C] -- C:\ProgramData\34BE82C4-E596-4e99-A191-52C6199EBF69
[2013/11/30 10:12:31 | 000,001,062 | ---- | M] () -- C:\Users\Nancy\Desktop\Optimizer Pro.lnk



:commands
[emptytemp]
[reboot]

<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />

 

[Nan Lyn]

Ran OTL.exe. Attached is the file OTL1212013. I also found the Extras.txt file. I am attaching that too.

 

[Nan Lyn]

After running the fix 'nation zoom' is still loading when I open Mozilla.

 

[kuttus]

Please open Mozilla from c:\Program Files\Mozilla\Firefox.exe

Is it loading from this location also???? If yes try the following steps.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

[Nan Lyn]

Yes, 'nation zoom' loads there too. But it is in c:\Program Files(x86). I ran Farbar. FRST.txt and Addition.txt are attached.

 

[kuttus]

Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)

[attachment=6433]

Open FRST, and click Fix. Attach me that report after it is finished.

 

[Nan Lyn]

Attached is the 'fixlog.txt'.

 

[kuttus]

How everything looks now?

 

[Nan Lyn]

It is still here.

 

[kuttus]

Do you know how to change the Home page? If yes Please change the home page in both browsers and check how it is working...

Open Internet Explorer from c:\Program Files\Internet Explorer\IEXPLORE.EXE and check how it is working now...

Are you getting the problem when opening from c:\Program Files\Internet Explorer\IEXPLORE.EXE

 

[Nan Lyn]

I changed the home page in both browsers. Have nation zoom loading.

No, I am not able to run the iexplore.exe. Also, everything in that file has an extra extension of .mui Example: "iexplore.exe.mui"

 

[kuttus]

There will be one more file on that location called iexplore.exe.
If you are not able to See it Enable Hidden files and folders on your computer.

Please select the Tools menu and click Folder Options.
After the new window appears select the View tab.
Put a checkmark in the checkbox labeled Display the contents of system folders.
Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
Remove the checkmark from the checkbox labeled Hide protected operating system files.
After this please press the Apply button and then the OK

 

[Nan Lyn]

I followed your instructions. But I do not have a listing called "Display the Contents of system folders". Mine says "Display the file size information in folder tips" I checked this box and applied the changes you indicated.

 

[kuttus]

Okay. Are you able to see iexplore.exe now?

 

[Nan Lyn]

I see it just fine. I saw it before. It just will not execute. It tells me Windows can not open this file do you want to use the internet to find the correct program to open it. When I try to do that it tells something about having to buy the program, and being a multiple language program or some such thing.

 

[kuttus]

STEP 1: Run a scan with Shortcut Cleaner

<ol><li>Download Shortcut Cleaner from the below link.
<><a href="http://www.bleepingcomputer.com/download/shortcut-cleaner/dl/153/" target="_blank">Shortcut Cleaner</a></> (This link will automatically download Security Check on your computer)</li>
<li>Close all open programs and internet browsers.</li>
<li>Double click on <>sc-cleaner.exe</> to run the tool.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>Log file will open automatically when the scan completes.</li>
</ol>
<hr/>