WE'RE SURE THAT YOU'LL LOVE US!
Hey there! 
Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 93085 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.
Try What the Tech -- It's free!
Pop Ups [Solved]
Started by
carsonlp
, Jan 28 2013 07:05 AM
-
This topic is locked
12 replies to this topic
#1
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 28 January 2013 - 07:05 AM
Register to Remove
#2
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 28 January 2013 - 11:20 AM
Welcome to the forum, you're loaded with adware.
Can you post the Attach.txt from the DDS scan.
Then............
Please remove any usb or external drives from the computer before you run this scan!
Please download and run RogueKiller to your desktop.
Quit all running programs.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!
Don't run any other options, they're not all bad!!!!!!!
Post back the report which should be located on your desktop.
MrC
Can you post the Attach.txt from the DDS scan.
Then............
Please remove any usb or external drives from the computer before you run this scan!
Please download and run RogueKiller to your desktop.
Quit all running programs.
For Windows XP, double-click to start.
For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.
Click Scan to scan the system.
When the scan completes > Close out the program > Don't Fix anything!
Don't run any other options, they're not all bad!!!!!!!
Post back the report which should be located on your desktop.
Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
Please stick with me until I give you the "all clear".
(If I don't respond within 24 hours, please send me a PM)
MrC
#3
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 29 January 2013 - 08:11 AM
MrCharlie,
Thanks for the help.
Dis as requested EXCEPT I was unable to disable Trend Antivirus.
Ran Rogue Killer and almost immediately it came back with an error message that it had stopped.
However it did generate a log which I zipped and attached along with the 'attach' log from DDS.
Hope that is what you needed.
skip
Attached Files
-
attach.zip 2.59KB
191 downloads
-
debug.zip 10KB
176 downloads
#4
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 29 January 2013 - 08:26 AM
Please uninstall these from your add/remove programs:
Coupon Companion Plugin
Searchqu Toolbar
-----------------------------------------
Then...............
Download, install Malwarebytes and scan the system as outlined in the link below:
http://www.bleepingc...alware-tutorial
Post back the log, MrC
Coupon Companion Plugin
Searchqu Toolbar
-----------------------------------------
Then...............
Download, install Malwarebytes and scan the system as outlined in the link below:
http://www.bleepingc...alware-tutorial
Post back the log, MrC
#5
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 30 January 2013 - 08:53 AM
Uninstalled indicated programs.
Downloaded and installed and ran MBAM scan.
The MBAM instructions indicate that after the scan I am to remove the suggested files.
You gave me no specific instructions one way or another, so I have left them intact until you are able to review the log file below.
thanks,
skip
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.01.30.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: SKIPMAIN [administrator]
1/30/2013 8:32:30 AM
MBAM-log-2013-01-30 (09-47-14).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 367590
Time elapsed: 1 hour(s), 12 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 12
HKCR\AppID\{F85FA3F2-D2C8-4D4D-BB1C-3181E691AF2B} (PUP.FaceThemes) -> No action taken.
HKCR\Typelib\{A3F56272-CDB4-4310-9BB1-9A0D0757A3B3} (PUP.FaceThemes) -> No action taken.
HKCR\Interface\{D6975F9E-15B2-4FE7-9D16-FC2E85CB201B} (PUP.FaceThemes) -> No action taken.
HKCR\CLSID\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKCR\SelectionLinks.SelectionLinksBHO.1 (PUP.FaceThemes) -> No action taken.
HKCR\SelectionLinks.SelectionLinksBHO (PUP.FaceThemes) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> No action taken.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files (x86)\OApps\SelectionLinks.dll (PUP.FaceThemes) -> No action taken.
(end)
Edited by carsonlp, 30 January 2013 - 08:54 AM.
#6
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 30 January 2013 - 08:57 AM
Have Malwarebytes delete them, MrC
#7
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 30 January 2013 - 10:07 AM
Removed successfully here is the log:
Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
Database version: v2013.01.30.04
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: SKIPMAIN [administrator]
1/30/2013 8:32:30 AM
mbam-log-2013-01-30 (08-32-30).txt
Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 367590
Time elapsed: 1 hour(s), 12 minute(s), 29 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 12
HKCR\AppID\{F85FA3F2-D2C8-4D4D-BB1C-3181E691AF2B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\Typelib\{A3F56272-CDB4-4310-9BB1-9A0D0757A3B3} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\Interface\{D6975F9E-15B2-4FE7-9D16-FC2E85CB201B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\CLSID\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\SelectionLinks.SelectionLinksBHO.1 (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\SelectionLinks.SelectionLinksBHO (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 1
C:\Program Files (x86)\OApps\SelectionLinks.dll (PUP.FaceThemes) -> Quarantined and deleted successfully.
(end)
#8
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 30 January 2013 - 10:48 AM
Good....next >>>
Please download AdwCleaner from here and save it on your Desktop.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.
Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.
MrC
Please download AdwCleaner from here and save it on your Desktop.
AdwCleaner is a reliable removal tool for Adware, Foistware, toolbars and potentially unwanted programs.
AdwCleaner is a tool that deletes :
· Adwares (software ads)
· PUP/LPI (Potentially Undesirable Program)
· Toolbars
· Hijacker (Hijack of the browser's homepage)
It works with a Search and Deletion methode. It can be easily uninstalled using the "Uninstall" mode.
- Right-click on adwcleaner.exe and select Run As Administrator (for XP just double click) to launch the application.
- Now click on the Search tab.
- Please post the contents of the log-file created in your next post.
Note: The log can also be located at C:\ >> AdwCleaner[XX].txt >> XX <-- Denotes the number of times the application has been ran, so in this should be something like R1.
Please look over what was found, we're going to delete it all in the next step....if there's something you may want to keep...please let me know and I'll explain to why it shouldn't be on your system.
MrC
#9
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 30 January 2013 - 05:15 PM
Downloaded and ran adware cleaner.
I dont see anything that makes a lot of sense to me one way or another. So as far as I am concerned delete as you see fit.
Here is the log file:
# AdwCleaner v2.109 - Logfile created 01/30/2013 at 18:10:38
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : user - SKIPMAIN
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
Folder Found : C:\Program Files (x86)\OApps
Folder Found : C:\ProgramData\InstallMate
Folder Found : C:\ProgramData\Premium
***** [Registry] *****
Key Found : HKCU\Software\AppDataLow\Software\Crossrider
Key Found : HKCU\Software\Cr_Installer
Key Found : HKCU\Software\DataMngr
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SearchquMediaBar_RASMANCS
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Found : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99079A25-328F-4BD4-BE04-00955ACAA0A7}
Key Found : HKLM\SOFTWARE\DataMngr
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Key Found : HKU\S-1-5-21-2801165691-702317133-51250561-1001\Software\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2406}
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{99079A25-328F-4BD4-BE04-00955ACAA0A7}]
Value Found : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [10]
Value Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [10]
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [2525 octets] - [30/01/2013 18:10:38]
########## EOF - C:\AdwCleaner[R1].txt - [2585 octets] ##########
#10
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 30 January 2013 - 06:21 PM
It's all adware.....How's the computer now???
---------------------------
Lots of adware found....lets clear it out.....
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Then......
Lets check your computers security before you go and we have a little cleanup to do also:
Download Security Check by screen317 from HERE or HERE.
---------------------------
Lots of adware found....lets clear it out.....
- Please re-run AdwCleaner
- Click on Delete button.
- Confirm each time with OK if asked.
- Your computer will be rebooted automatically. A text file will open after the restart. Please post the content of that logfile in your reply.
Note: You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
Then......
Lets check your computers security before you go and we have a little cleanup to do also:
Download Security Check by screen317 from HERE or HERE.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt.
- Please Post the contents of that document.
- Do Not Attach It!!!
#11
carsonlp
-
- Authentic Member
-
- 21 posts
Authentic Member
Posted 31 January 2013 - 08:37 AM
Computer is 'better' as far as I can tell. No pop ups, and seems to be running faster.
thanks
Ran AdwCleaner again and deleted :
Here is copy of log after deleating:
# AdwCleaner v2.109 - Logfile created 01/31/2013 at 09:20:38
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : user - SKIPMAIN
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [2646 octets] - [30/01/2013 18:10:38]
AdwCleaner[R2].txt - [2706 octets] - [31/01/2013 09:14:00]
AdwCleaner[R3].txt - [633 octets] - [31/01/2013 09:20:38]
AdwCleaner[S1].txt - [2664 octets] - [31/01/2013 09:14:13]
Then ran Security check here is copy of that log:
Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Trend Micro Titanium Internet Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.5 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro AMSP AMSP_LogServer.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
thanks
Ran AdwCleaner again and deleted :
Here is copy of log after deleating:
# AdwCleaner v2.109 - Logfile created 01/31/2013 at 09:20:38
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (64 bits)
# User : user - SKIPMAIN
# Boot Mode : Normal
# Running from : C:\Users\user\Desktop\adwcleaner.exe
# Option [Search]
***** [Services] *****
***** [Files / Folders] *****
***** [Registry] *****
***** [Internet Browsers] *****
-\\ Internet Explorer v9.0.8112.16457
[OK] Registry is clean.
*************************
AdwCleaner[R1].txt - [2646 octets] - [30/01/2013 18:10:38]
AdwCleaner[R2].txt - [2706 octets] - [31/01/2013 09:14:00]
AdwCleaner[R3].txt - [633 octets] - [31/01/2013 09:20:38]
AdwCleaner[S1].txt - [2664 octets] - [31/01/2013 09:14:13]
Then ran Security check here is copy of that log:
Results of screen317's Security Check version 0.99.57
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 9
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Trend Micro Titanium Internet Security
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.70.0.1100
Java™ 6 Update 37
Java version out of Date!
Adobe Flash Player 11.5.502.146
Adobe Reader 10.1.5 Adobe Reader out of Date!
````````Process Check: objlist.exe by Laurent````````
Trend Micro AMSP coreServiceShell.exe
Trend Micro UniClient UiFrmWrk uiWatchDog.exe
Trend Micro UniClient UiFrmWrk uiSeAgnt.exe
Trend Micro AMSP coreFrameworkHost.exe
Trend Micro AMSP AMSP_LogServer.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````
#12
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 31 January 2013 - 08:54 AM
Java™ 6 Update 37 <----please uninstall from add/remove programs
Java version out of Date! <-------Download and install the latest version from Here
Uncheck the box to install the Ask toolbar!!!
Please check for an update on this if available:
Adobe Reader 10.1.5 Adobe Reader out of Date!
You have out dated programs on the system which are vulnerable to malware.
Please update or uninstall them
Info on doing that can be found in my Preventive Maintenance
~~~~~~~~~~~~~~~~~~~~~
A little clean up to do....
Please Uninstall ComboFix: (if you used it)
Press the Windows logo key + R to bring up the "run box"
Copy and paste next command in the field:
ComboFix /uninstall
Make sure there's a space between Combofix and /
Then hit enter.
This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point
(If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall)
---------------------------------
Please download OTL from one of the links below: (you may already have OTL on the system)
http://oldtimer.geekstogo.com/OTL.exe
http://oldtimer.geekstogo.com/OTL.com
http://www.itxassoci...T-Tools/OTL.exe
Save it to your desktop.
Run OTL and hit the CleanUp button. (This will cleanup the tools and logs used including itself)
Any other programs or logs you can manually delete.
IE: RogueKiller.exe, RKreport.txt, RK_Quarantine folder, C:\FRST, MBAR, etc....AdwCleaner > just run the program and click uninstall.
-------------------------------
Any questions...please post back.
Take a look at My Preventive Maintenance to avoid being infected again.
Good Luck and Thanks for using the forum, MrC
#13
MrCharlie
-
- Malware Team
-
- 2,949 posts
SuperMember
Posted 01 February 2013 - 10:04 AM
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please follow the instructions here http://forums.whatth...ed_t106388.html
and start a New Topic.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
