The free version found it and quarantined it, but wouldn't delete it. When I tried, it said I had to "upgrade to premium" to actually delete it. So against my better judgement, I purchased the upgrade. Once I did, and I installed the full version, it no longer found the virus. Now, it finds the same "threats" on a daily basis (29 of them), and still no detection of cleanserp. Here is a copy of the log for both malwarebytes and adwcleaner. I also tried providing a screen shot of my startup page so you can see the address bar that now shows up instead of my usual google pages. I can't paste the copy of the screenshot. In my address bar this comes up: https://secure-surf.net/
Malwarebytes
www.malwarebytes.com
-Log Details-
Scan Date: 6/26/17
Scan Time: 7:51 PM
Log File:
Administrator: Yes
-Software Information-
Version: 3.1.2.1733
Components Version: 1.0.141
Update Package Version: 1.0.2237
License: Premium
-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DAWN\Dawn
-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 381100
Threats Detected: 32
Threats Quarantined: 32
Time Elapsed: 5 min, 3 sec
-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
-Scan Details-
Process: 0
(No malicious items detected)
Module: 0
(No malicious items detected)
Registry Key: 1
PUP.Optional.SpyHunter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SpyHunter, Quarantined, [944], [345850],1.0.2237
Registry Value: 0
(No malicious items detected)
Registry Data: 0
(No malicious items detected)
Data Stream: 0
(No malicious items detected)
Folder: 5
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\USERS\DAWN\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\EXTENSIONS\PPHNMCJOLBJLAHHDEGNBNBHJBGNLCEID, Quarantined, [9234], [402906],1.0.2237
File: 26
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\mithril.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\moment.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\reset.min.css, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\sortable.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\style.css, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\logo.svg, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\remove.svg, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-128px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-16px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-32px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-128px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-16px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-256px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-32px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-48px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-96px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata\computed_hashes.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata\verified_contents.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\manifest.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\popup.html, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\popup.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs-ui.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs.html, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.SpyHunter, C:\USERS\DAWN\APPDATA\ROAMING\ENIGMA SOFTWARE GROUP\SH_INSTALLER.EXE, Quarantined, [944], [345850],1.0.2237
PUP.Optional.SpyHunter, C:\USERS\DAWN\DESKTOP\SPYHUNTER-INSTALLER.EXE, Quarantined, [944], [345850],1.0.2237
Physical Sector: 0
(No malicious items detected)
(end)
This is the same every day for the last 4 days. In frustration, I tried spyhunter, which also detected cleanserp, and wanted me to pay to remove it, just like malwarebytes. It was recommended that I use malewarebytes instead, so I uninstalled spyhunter and stuck with the paid version of malwarebytes. I also tried using the adwcleaner that is part of malwarebytes. It did not remove cleanserp either. Here is a copy of adwcleaner log:
# AdwCleaner v6.047 - Logfile created 26/06/2017 at 20:11:25
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-26.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : Dawn - DAWN
# Running from : C:\Users\Dawn\Desktop\adwcleaner_6.047.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support
***** [ Services ] *****
Service Found: CouponPrinterService
Service Found: couponprinterservice
***** [ Folders ] *****
Folder Found: C:\Users\Dawn\AppData\Roaming\Enigma Software Group
Folder Found: C:\Program Files\Enigma Software Group
Folder Found: C:\sh4ldr
Folder Found: C:\ProgramData\apn
Folder Found: C:\ProgramData\Trymedia
Folder Found: C:\ProgramData\Application Data\apn
Folder Found: C:\ProgramData\Application Data\Trymedia
Folder Found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Found: C:\Program Files (x86)\Coupons
Folder Found: C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pphnmcjolbjlahhdegnbnbhjbgnlceid
***** [ Files ] *****
No malicious files found.
***** [ DLL ] *****
No malicious DLLs found.
***** [ WMI ] *****
No malicious keys found.
***** [ Shortcuts ] *****
Shortcut infected: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2Dclc4z2IsPyo%3D )
Shortcut infected: C:\Users\Dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2Dclc4z2
Shortcut infected: C:\Users\Dawn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2D
***** [ Scheduled Tasks ] *****
No malicious task found.
***** [ Registry ] *****
Key Found: HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found: HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found: HKLM\SOFTWARE\Trymedia Systems
Key Found: [x64] HKLM\SOFTWARE\EnigmaSoftwareGroup
Key Found: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\vosteran.com
Key Found: [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\vosteran.com
Value Found: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [ApnTBMon]
***** [ Web browsers ] *****
No malicious Firefox based browser items found.
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - cigiagpbkapepgklncnajbakkpkopmam
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - majjphhgppkndjjkmhhnbgafooenebhd
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - pphnmcjolbjlahhdegnbnbhjbgnlceid
Chrome pref Found: [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxp://search.conduit.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M581E26EB-97CD-4193-9A71-63CD013A5EE7&Searc
[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]
*************************
C:\AdwCleaner\AdwCleaner[S0].txt - [3878 Bytes] - [26/06/2017 20:11:25]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3951 Bytes] ##########
This virus has attached itself to Internet Explorer, which I haven't used on this device in years.