WhiteSmoke toolbar

Status
Not open for further replies.
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
Hello! As you can see by all the items that I have attached I have scanned and scanned and scanned and am still having issues. I do like you site. It has more specific information than others that I found in trying to get rid of this problem. Thanks in advance for any further help!
 

Attachments

  • Extras.Txt
    89 KB · Views: 116
  • OTL.Txt
    107.7 KB · Views: 133
  • hitmanpro_20130225_0846.txt
    23.3 KB · Views: 136
  • aswMBR.txt
    4.5 KB · Views: 118
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi and welcome to the malwaretips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:
  • I will start working on your malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.


Before we start:
Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.
<hr />

STEP 1: Run a scan with Junkware Removal Tool

Please download Junkware Removal Tool to your desktop from here
  • Turn off your antivirus software now to avoid potential conflicts
  • Double-click to run the tool. For Windows Vista or 7 users, right-click the file and select Run as Administrator
  • The tool will open and start scanning your system
  • Please be patient as this can take a while to complete depending on your system's specifications
  • On completion, a log (JRT.txt) will be saved to your desktop and will automatically open
  • Post the contents of JRT.txt into your next reply



STEP 2: Run a scan with AdwCleaner

<ol><li>Download AdwCleaner from the below link.
<><a href="http://general-changelog-team.fr/fr/downloads/finish/20-outils-de-xplode/2-adwcleaner" target="_blank">ADWCLEANER DOWNLAOD LINK</a></> (This link will automatically download Security Check on your computer)</li>

<li>Close all open programs and internet browsers.</li>
<li>Double click on <>adwcleaner.exe</> to run the tool.</li>
<li>Click on <>Delete</>,then confirm each time with <>Ok</>.</li>
<li>Your computer will be rebooted automatically. A text file will open after the restart.</li>
<li>Please post the contents of that logfile with your next reply.</li>
<li>You can find the logfile at <>C:\AdwCleaner[S1].txt</> as well.</li>
</ol>
<hr/>
 
Last edited by a moderator:
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
From what I can tell Junkware removal tool is considered to be a virus itself so I did not run it. I still cannot open and download the adwcleaner. Have tried it all day. I did run combofix and have attached a log. It said it removed Coupon Companion dll which it may have but I had to physically go to my Control Panel and uninstall the Coupon Companion software because it kept installing coupons even after the dll was deleted by combofix. How do I know when I have cleaned up my computer completely and what is your recommendation on Junkware removal tool. Should I run it or how do I delete it?
 

Attachments

  • combofixlog.txt
    32.1 KB · Views: 126
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
You can Run it. No need to worry it is completely safe. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
STEP 1: Run the below OTL fix
<ol><li>Start <>OTL.exe</></li>
<li>Copy/paste the following text written <>inside of the code box</> into the <>Custom Scans/Fixes</> box located at the bottom of OTL
Code: 
:OTL
IE - HKLM\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=VertiTech...archTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=VertiTech...archTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://feed.snap.do/?publisher=VertiTech...archTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-US
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 73 8B 18 0A 93 D9 CD 01 [binary data]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=VertiTech...archTerms}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=VertiTech...archTerms}
IE - HKCU\..\SearchScopes,DefaultScope = {1903ACE0-8E8A-416B-862D-296999A1534C}
IE - HKCU\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=VertiTech...archTerms}
FF - prefs.js..browser.startup.homepage: "http://search.conduit.com/?ctid=CT3279141&octid=CT3279141&SearchSource=61&CUI=UN26508244499375213&UM=UM_ID&UP=SP27FAE92C-C782-42FE-8FE1-3EFD24A9C143"
FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.51
FF - prefs.js..browser.search.defaulturl: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=3&q={searchTerms}&CUI=UN26508244499375213"
FF - prefs.js..browser.search.defaultthis.engineName: "WhiteSmoke B Customized Web Search"
FF - prefs.js..browser.search.selectedEngine: "WhiteSmoke B Customized Web Search"
FF - prefs.js..CT3279141.browser.search.defaultthis.engineName: "true"
FF - prefs.js..keyword.URL: "http://search.conduit.com/ResultsExt.aspx?ctid=CT3279141&SearchSource=2&CUI=UN26508244499375213&UM=UM_ID&q="
FF - user.js - File not found
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Users\PamAndCarl\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com:​ C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/02 17:47:51 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/06/02 17:47:51 | 000,000,000 | ---D | M]
[2010/06/24 09:21:35 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Extensions
[2013/02/24 14:26:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions
[2013/02/24 14:26:50 | 000,000,000 | ---D | M] (WhiteSmoke B) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\{f0e59437-6148-4a98-b0a6-60d557ef57f4}
[2013/02/24 14:25:16 | 000,000,000 | ---D | M] ("Coupon Companion Plugin") -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com
[2013/02/24 14:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com\chrome
[2013/02/24 14:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com\defaults
[2013/02/24 14:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com\locale
[2013/02/24 14:25:16 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com\skin
[2013/02/24 14:25:14 | 000,000,000 | ---D | M] (No name found) -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\ex​tensions\extension21804@extension21804.com\chrome\content\extensionCode
[2013/02/24 14:26:52 | 000,000,983 | ---- | M] () -- C:\Users\PamAndCarl\AppData\Roaming\Mozilla\Firefox\Profiles\k0u1ys7k.default\se​archplugins\conduit.xml
[2012/09/09 10:12:40 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2012/10/19 15:18:49 | 000,248,192 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll
[2012/10/19 15:18:57 | 000,248,192 | ---- | M] (Coupons, Inc.) -- C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npCouponPrinter.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Program Files (x86)\Mozilla Firefox\plugins\npMozCouponPrinter.dll
CHR - Extension: Coupon Companion Plugin = C:\Users\PamAndCarl\AppData\Local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj\1.21.11_0\crossrider
CHR - Extension: Coupon Companion Plugin = C:\Users\PamAndCarl\AppData\Local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj\1.21.11_0\
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O2 - BHO: (Coupon Companion Plugin) - {11111111-1111-1111-1111-110211181104} - C:\Program Files (x86)\Coupon Companion Plugin\Coupon Companion Plugin.dll (215 Apps)
O3:64bit: - HKLM\..\Toolbar: (no name) - {ae07101b-46d4-4a98-af68-0333ea26e113} - No CLSID value found.
[2013/02/24 14:25:17 | 000,000,000 | ---D | C] -- C:\Users\PamAndCarl\AppData\Local\Coupon Companion Plugin
[2013/02/24 14:24:57 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Coupon Companion Plugin
[2010/06/01 14:04:14 | 000,148,736 | ---- | C] (Avanquest Software) -- C:\ProgramData\hpeEE59.dll


:commands
[emptytemp]
[reboot]
<>NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system</></li>
<li>Then click the <>Run Fix</> button at the top</li>
<li>Let the program run unhindered, reboot when it is done</li>
<li>Attach the new log produced by OTL (C:\_OTL)</li>
</ol>

<hr />
 
Last edited by a moderator:
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
I did run the Junkremoval tool and have attached its log. I seemed to find and remove more items regarding the coupon creator. Next I will run the script you just sent. Thanks!
 

Attachments

  • JRT.txt
    6.3 KB · Views: 135
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay Cool... It seems JRT removed most of them... :p Anyway run the Scripts also.. That one will remove the reset if any one else exists... :D
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
Hello. I tried the Fix in OTL twice and it freezes up. Any suggestions?
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Disable your computer Firewall and Antivirus Program.
Save the OTL file on your computer desktop. Right Click on it and select Run as Administrator. After that try to run the Fix.
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
welll......it still does not respond. I have turned off all firewalls and anti-virus programs that I can find, I copy, paste and run as administrator. Any suggestions? Does it have anything to do with your having built the script before I ran the Junk Remover tool?
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Do one thing. Restart your computer in safe mode after that run the OTL Fix from safe mode.

<h3>STEP 1 : Start your computer in Safe Mode with Networking</h3>
<ol><li>Remove all floppy disks, CDs, and DVDs from your computer, and then <>restart your computer</>.</li>
<li><>Press and hold the F8 key as your computer restarts</>.Please keep in mind that you need to press the F8 key <>before the Windows start-up logo appears</>.
<em>Note</em>: With some computers, if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", <>tap the "F8 key" continuously</> until you get the Advanced Boot Options screen.</li>
<li>On the Advanced Boot Options screen, use the arrow keys to <>highlight Safe Mode with Networking</> , and then <>press ENTER</>.
<img title="Safe Mode with Networking screen" src="http://malwaretips.com/images/removalguide/safemode.jpg" alt="[Image: Safemode.jpg]" width="539" height="292" border="0" /></li>
</ol>
<hr />
 
Last edited by a moderator:
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
So how long should the fix take to finish? Even in safe mode it seems to be not responding :( I can't run as administrator because my desktop does not display in safe mode but I did run it and it just seems to sit there.....
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Okay...

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
so what are we still looking for? I will work on this process soon.


kuttus said:
Okay...

Can you please try to run a scan with Farbar Recovery Scan Tool. You will need a USB (Flash) pendrive.

For x32 (x86) bit systems download Farbar Recovery Scan Tooland save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the flash drive. Please copy and paste it to your reply.
Click to expand...
 
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
This one will give a new Log Files....... Please read the instructions very carefully before proceed...... There is some more files associated with WhiteSmoke toolbar...
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
OK. I did all of these things and have attached the frst64log. My computer would not restart so I had to select repair. It may have been reset to a restore point but I am not sure.

kuttus said:
This one will give a new Log Files....... Please read the instructions very carefully before proceed...... There is some more files associated with WhiteSmoke toolbar...
Click to expand...
 

Attachments

  • FRST.txt
    25.3 KB · Views: 108
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Hi Good Morning.

It seems the Farbar Recovery Scan Tool Logs are Clean..... Can you please run the OTL once again and send me the latest logs? No need to use the scripts just run a scan like you did in the first place and update me the logs...


STEP 2: Download and Run Windows Repair (all in one)

Download Windows Repair (all in one)

  • Install the program then run it.
  • Go to step 2 and allow it to run Disc check by clicking Do It
  • Go to step 3 and allow it to run SFC
  • Go to start repairs tab select advanced mode and click start.
  •  Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks
    1. Reset File Permissions
    2. Register System Files
    3. Repair WMI
    4. Remove Policies Set By Infections
    5. Remove Temp Files
  •   Then click Start.
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
and good morning to you too. I have attached the OTL scan. My computer did the windows repair step last night when it would not open on its own. What are the benefits to also doing the windows repair all in one?


kuttus said:
Hi Good Morning.

It seems the Farbar Recovery Scan Tool Logs are Clean..... Can you please run the OTL once again and send me the latest logs? No need to use the scripts just run a scan like you did in the first place and update me the logs...


STEP 2: Download and Run Windows Repair (all in one)

Download Windows Repair (all in one)

  • Install the program then run it.
  • Go to step 2 and allow it to run Disc check by clicking Do It
  • Go to step 3 and allow it to run SFC
  • Go to start repairs tab select advanced mode and click start.
  •  Check the box next to "Restart/Shutdown system when finished" and ensure the following is checked along with the default checks
    1. Reset File Permissions
    2. Register System Files
    3. Repair WMI
    4. Remove Policies Set By Infections
    5. Remove Temp Files
  •   Then click Start.
Click to expand...
 

Attachments

  • OTL.Txt
    102.5 KB · Views: 110
kuttus

kuttus

Level 2
Verified
Oct 5, 2012
2,697
Tweaking.com - Windows Repair is an all-in-one repair tool to help fix a large majority of known Windows problems including registry errors and file permissions as well as issues with Internet Explorer, Windows Update, Windows Firewall and more. Malware and installed programs can modify your default settings. Windows Repair you can restore Windows original settings.

Do you run the Windows Repair (all in one) using the above tool? If no please do it.
 
D

dowjones

New Member
Thread author
Verified
Feb 25, 2013
22
There are eleven downloads on that page. Which one do I use? I don't believe it is the "Reimage" software at the top. I believe that is an ad.
 
Status
Not open for further replies.

Similar threads

J
    • Like
  • Locked
I have gotten malware in my computer with chrome extension
Replies
2
Views
355
Windows Malware Removal Help & Support
nasdaq
nasdaq
hunainkonan
  • Locked
nslookup.exe high ram usage (windows 11)
Replies
4
Views
498
Windows Malware Removal Help & Support
nasdaq
nasdaq
bigeljacko
    • Like
  • Locked
Chromstera
Replies
5
Views
743
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top