WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Plagued by SupraSavings [Solved]

Started by Marrin , Jul 10 2014 04:01 PM

SupraSavings

This topic is locked

63 replies to this topic

#1 Marrin

Authentic Member

Authentic Member
31 posts

Posted 10 July 2014 - 04:01 PM

I have tried several things to eliminate this pest, to no avail. OTL, downloaded from your site, generated two files. They are attached.

Attached Files

OTL.Txt 296.62KB 291 downloads
Extras.Txt 108.45KB 298 downloads

Advertisements

Register to Remove

#2 OCD

SuperHelper

Malware Team
5,574 posts

Posted 10 July 2014 - 10:46 PM

Hi Marrin,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

Security Check

Download Security Check by screen317 from here or here.

Save it to your Desktop.
- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=========================

aswMBR

Download aswMBR.exe and save it to your desktop.

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
When asked if you want to download Avast's virus definitions please select Yes.
Click Scan
Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

=========================

AdwCleaner v3: Scan & Clean

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Click on the Scan button.
AdwCleaner will begin to scan your computer like it did before.
After the scan has finished...
Click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a log file report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that log file in your next reply.
A copy of that log file will also be saved in the C:\AdwCleaner folder.

=========================

Re-run OTL (it should be located on your desktop).

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Uncheck the boxes beside LOP Check and Purity Check.
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open one notepad window. OTL.Txt. (No Extras.txt will be produced)
Note:The log can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of the file, and post it with your next reply.

=========================

In your next post please provide the following:

checkup.txt
aswMBR.txt
attach MBR.zip
AdwCleaner[S0].txt
New OTL.txt
What symptoms are you experiencing?

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#3 Marrin

Authentic Member

Authentic Member
31 posts

Posted 11 July 2014 - 11:17 AM

In attempting to follow your instructions (in order) I cannot proceed to downloading aswMBR. Norton Security Suite flags the download as "unsafe" and immediately deletes it.

How should I proceed?

#4 OCD

SuperHelper

Malware Team
5,574 posts

Posted 11 July 2014 - 08:19 PM

Hi Marrin,

In attempting to follow your instructions (in order) I cannot proceed to downloading aswMBR. Norton Security Suite flags the download as "unsafe" and immediately deletes it.

How should I proceed?

Disable Norton while you download the tool and run the scan, then re-enable it.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days

If you are satisfied with the help you have received, please consider making a donation.

#5 Marrin

Authentic Member

Authentic Member
31 posts

Posted 11 July 2014 - 11:07 PM

I am slightly ashamed to admit I got impatient. I went to the parent site for aswMBR, and downloaded the program from there. For some reason, Norton accepted this version, so I ran it, and have included its output here.

The symptoms I am experiencing include large numbers of popups, that bear the tag SupraSavings or SupraServices. This happens primarily with sites that have choices to buy things, but not exclusively. Any site that includes lots of choices can trigger the popups. One particular program that is affected is 247Mahjong. When the computer is connected to the network, SupraServices blocks the center of the screen with a black window which covers the playing area. When not connected to the network, a limited version of the game is presented, except the panels, one on each side of the window which normally contain advertisements (not, I believe, from SupraSavings) are greyed out.

There are symptoms of what I think are other 'viruses', but this SupraSavings is by far the most infuriating, so I would like to approach the others later, in new topics, unless you would suggest otherwise.

Scan reports are included below. Thanks for your help.

Results of screen317's Security Check version 0.99.85

Windows 7 Service Pack 1 x64 (UAC is disabled!)

Internet Explorer 11

``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled!

Windows Firewall Disabled!

Norton Security Suite

WMI entry may not exist for antivirus; attempting automatic update.

`````````Anti-malware/Other Utilities Check:`````````

MVPS Hosts File

Spybot - Search & Destroy

Java 8 Update 5

Java version out of Date!

Adobe Reader XI

Google Chrome 35.0.1916.114

Google Chrome 35.0.1916.153

````````Process Check: objlist.exe by Laurent````````

`````````````````System Health check`````````````````

Total Fragmentation on Drive C: 1%

````````````````````End of Log``````````````````````

Run date: 2014-07-11 16:55:15

-----------------------------

16:55:15.986 OS Version: Windows x64 6.1.7601 Service Pack 1

16:55:15.986 Number of processors: 2 586 0x170A

16:55:15.988 ComputerName: FLEET-HP-G70 UserName: Marrin

16:55:18.150 Initialize success

16:55:48.252 AVAST engine defs: 14071101

16:56:41.816 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

16:56:41.821 Disk 0 Vendor: TOSHIBA_MK3255GSX FG011C Size: 305245MB BusType: 11

16:56:41.958 Disk 0 MBR read successfully

16:56:41.961 Disk 0 MBR scan

16:56:41.968 Disk 0 Windows 7 default MBR code

16:56:41.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 292665 MB offset 2048

16:56:42.019 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12576 MB offset 599379968

16:56:42.173 Disk 0 scanning C:\Windows\system32\drivers

16:57:00.073 Service scanning

16:57:07.058 Service BHDrvx64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140703.001\BHDrvx64.sys **LOCKED** 5

16:57:13.576 Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5

16:57:14.299 Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5

16:57:21.464 Service IDSVia64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140710.002\IDSvia64.sys **LOCKED** 5

16:57:32.068 Service NAVENG C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140711.002\ENG64.SYS **LOCKED** 5

16:57:32.464 Service NAVEX15 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140711.002\EX64.SYS **LOCKED** 5

16:57:37.412 Service pcmaxservice C:\Program Files\pcmax\pcmax.exe **INFECTED** Win32:Dropper-gen [Drp]

16:58:03.875 Modules scanning

16:58:03.886 Disk 0 trace - called modules:

16:58:03.931 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

16:58:03.947 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c25060]

16:58:03.961 3 CLASSPNP.SYS[fffff880017c843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046c21f0]

16:58:06.330 AVAST engine scan C:\Windows

16:58:10.808 AVAST engine scan C:\Windows\system32

17:03:26.994 AVAST engine scan C:\Windows\system32\drivers

17:04:09.041 AVAST engine scan C:\Users\Marrin

17:16:41.784 File: C:\Users\Marrin\AppData\Roaming\UpdateServ\SearchProtect.exe **INFECTED** Win32:Dropper-gen [Drp]

17:17:12.931 File: C:\Users\Marrin\Downloads\Driver Update.exe **INFECTED** Win32:Adware-gen [Adw]

17:17:22.231 File: C:\Users\Marrin\Downloads\Mahjong1 (1).exe **INFECTED** Win32:Adware-gen [Adw]

17:17:42.182 File: C:\Users\Marrin\Downloads\Revo_Uninstaller_TSV4AGYMS.exe **INFECTED** Win32:Adware-gen [Adw]

17:18:24.551 AVAST engine scan C:\ProgramData

17:26:26.989 Scan finished successfully

17:29:52.263 Disk 0 MBR has been saved successfully to "C:\Users\Marrin\Desktop\MBR.dat"

17:29:52.303 The log file has been saved successfully to "C:\Users\Marrin\Desktop\aswMBR.txt"

Run date: 2014-07-11 16:55:15

-----------------------------

16:55:15.986 OS Version: Windows x64 6.1.7601 Service Pack 1

16:55:15.986 Number of processors: 2 586 0x170A

16:55:15.988 ComputerName: FLEET-HP-G70 UserName: Marrin

16:55:18.150 Initialize success

16:55:48.252 AVAST engine defs: 14071101

16:56:41.816 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0

16:56:41.821 Disk 0 Vendor: TOSHIBA_MK3255GSX FG011C Size: 305245MB BusType: 11

16:56:41.958 Disk 0 MBR read successfully

16:56:41.961 Disk 0 MBR scan

16:56:41.968 Disk 0 Windows 7 default MBR code

16:56:41.984 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 292665 MB offset 2048

16:56:42.019 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 12576 MB offset 599379968

16:56:42.173 Disk 0 scanning C:\Windows\system32\drivers

16:57:00.073 Service scanning

16:57:07.058 Service BHDrvx64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\BASHDefs\20140703.001\BHDrvx64.sys **LOCKED** 5

16:57:13.576 Service eeCtrl C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys **LOCKED** 5

16:57:14.299 Service EraserUtilRebootDrv C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys **LOCKED** 5

16:57:21.464 Service IDSVia64 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\IPSDefs\20140710.002\IDSvia64.sys **LOCKED** 5

16:57:32.068 Service NAVENG C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140711.002\ENG64.SYS **LOCKED** 5

16:57:32.464 Service NAVEX15 C:\Program Files (x86)\Norton Security Suite\NortonData\21.1.0.18\Definitions\VirusDefs\20140711.002\EX64.SYS **LOCKED** 5

16:57:37.412 Service pcmaxservice C:\Program Files\pcmax\pcmax.exe **INFECTED** Win32:Dropper-gen [Drp]

16:58:03.875 Modules scanning

16:58:03.886 Disk 0 trace - called modules:

16:58:03.931 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys

16:58:03.947 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c25060]

16:58:03.961 3 CLASSPNP.SYS[fffff880017c843f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80046c21f0]

16:58:06.330 AVAST engine scan C:\Windows

16:58:10.808 AVAST engine scan C:\Windows\system32

17:03:26.994 AVAST engine scan C:\Windows\system32\drivers

17:04:09.041 AVAST engine scan C:\Users\Marrin

17:16:41.784 File: C:\Users\Marrin\AppData\Roaming\UpdateServ\SearchProtect.exe **INFECTED** Win32:Dropper-gen [Drp]

17:17:12.931 File: C:\Users\Marrin\Downloads\Driver Update.exe **INFECTED** Win32:Adware-gen [Adw]

17:17:22.231 File: C:\Users\Marrin\Downloads\Mahjong1 (1).exe **INFECTED** Win32:Adware-gen [Adw]

17:17:42.182 File: C:\Users\Marrin\Downloads\Revo_Uninstaller_TSV4AGYMS.exe **INFECTED** Win32:Adware-gen [Adw]

17:18:24.551 AVAST engine scan C:\ProgramData

17:26:26.989 Scan finished successfully

17:29:52.263 Disk 0 MBR has been saved successfully to "C:\Users\Marrin\Desktop\MBR.dat"

17:29:52.303 The log file has been saved successfully to "C:\Users\Marrin\Desktop\aswMBR.txt"

17:39:36.890 Disk 0 MBR has been saved successfully to "C:\Users\Marrin\Desktop\MBR.dat"

17:39:36.899 The log file has been saved successfully to "C:\Users\Marrin\Desktop\aswMBR.txt"

# AdwCleaner v3.215 - Report created 11/07/2014 at 18:06:34

# Updated 09/07/2014 by Xplode

# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

# Username : Marrin - FLEET-HP-G70

# Running from : C:\Users\Marrin\Desktop\AdwCleaner.exe

# Option : Clean

***** [ Services ] *****

Service Deleted : hlnfd

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\374311380

Folder Deleted : C:\ProgramData\NCH Software

Folder Deleted : C:\Program Files (x86)\File Type Assistant

Folder Deleted : C:\Program Files (x86)\NCH Software

Folder Deleted : C:\Program Files\003

Folder Deleted : C:\Program Files\SupraSavings

Folder Deleted : C:\Users\Marrin\AppData\Local\Browsersafeguard

Folder Deleted : C:\Users\Marrin\AppData\Local\FileTypeAssistant

Folder Deleted : C:\Users\Marrin\AppData\Local\genienext

Folder Deleted : C:\Users\Marrin\AppData\Roaming\DriverCure

Folder Deleted : C:\Users\Marrin\AppData\Roaming\NCH Software

Folder Deleted : C:\Users\Marrin\AppData\Roaming\newnext.me

Folder Deleted : C:\Users\Marrin\AppData\Roaming\Nico Mak Computing

Folder Deleted : C:\Users\Marrin\AppData\Roaming\OpenCandy

Folder Deleted : C:\Users\Marrin\AppData\Roaming\Systweak

Folder Deleted : C:\Users\Marrin\AppData\Roaming\UpdaterEX

Folder Deleted : C:\Users\Mary Delle\AppData\Local\FileTypeAssistant

Folder Deleted : C:\Users\Mary Delle\AppData\Roaming\Systweak

Folder Deleted : C:\Users\Public\Documents\ShopperPro

Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\adpkifcfcacgmnggcbpbjbkdijciiigm

Folder Deleted : C:\Users\F-Squared\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd

Folder Deleted : C:\Users\LAS\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd

Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd

Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\cmclajginlihohopoeofghddnhpplhom

Folder Deleted : C:\Users\Marrin\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmpjamifmplbakhgikofogdfackici

Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\iijmpjamifmplbakhgikofogdfackici

Folder Deleted : C:\Users\F-Squared\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg

Folder Deleted : C:\Users\LAS\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg

Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg

[!] Folder Deleted : C:\Users\F-Squared\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg

[!] Folder Deleted : C:\Users\LAS\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg

[!] Folder Deleted : C:\Users\Mary Delle\AppData\Local\Google\Chrome\User Data\Default\Extensions\jonjajmpblmjkhjemkalbddhodlehkfg