Finishing up the removal of easylifeapp virus

[solarblast]

Outside the realm of Malwarebytes, I was able, I hope,to remove the easylifeapp virus. It was suggested that I use Malwarebytes to complete matters. I have version 1.75.0.1300, and have never used it. Do I need to do anything more than Press Scan with a choice of a quck scan?

[gringo_pr]

Hello solarblast

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

• 
  
• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.

  [*]Please do not attach logs or use code boxes, just copy and paste the text.

  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
    

  [*]Please read every post completely before doing anything.

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
    

  [*]Please provide feedback about your experience as we go.

  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
  
  

NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

I need to get some reports to get a base to start from so I need you to run these programs first.

-Download DDS-

• Please download DDS from one of the links below and save it to your desktop:
  
  Download DDS and save it to your desktop
  

Link1
Link2
Link3

• Double-Click on dds.scr and a command window will appear. This is normal.
  
• Shortly after two logs will appear:
  
  • DDS.txt
    
  • Attach.txt
    

  [*]A window will open instructing you save & post the logs

  [*]Save the logs to a convenient place such as your desktop

  [*]Copy the contents of both logs & post in your next reply

Gringo

[solarblast]

I'm going to hold off on this until tomorrow.

I see a small window with COUPONS in the upper left corner. It'bs by SaveByClick, It's slow to load, but I noticed it hours ago, and it looks like it is an ad for you. Is that right. Anyway, I closed it.

It was over an area called Post Options. I'm not changing any options.

[gringo_pr]

Hello

I do not think it was an ad for us

gringo

[solarblast]

I do not see "Receive notification"

[gringo_pr]

click on the follow this topic

[solarblast]

Was a message sent? If so, then it might have gotten stuck in the spam folder on my server.

[solarblast]

Nothing in my spam folder.

[gringo_pr]

Did you ever do what I asked in post 2?

gringo

[solarblast]

Do you mean the welcome post? I pressed the "Follow the Topic", and never got any e-mail.  I see the button now says "Unfollow the Topic".

[solarblast]

Apparently, this is a no-go.

[gringo_pr]

Hello

No I mean running DDS to get me the reports so I can start

I need to get some reports to get a base to start from so I need you to run these programs first.

-Download DDS-

• Please download DDS from one of the links below and save it to your desktop:

  

  Download DDS and save it to your desktop

  Link1

  Link2

  Link3

  • Double-Click on dds.scr and a command window will appear. This is normal.
  • Shortly after two logs will appear:
    • DDS.txt
    • Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply

Gringo

[solarblast]

I zipped the two files.

attach.zip

dds.zip

[gringo_pr]

Hello solarblast

These are the programs I would like you to run next, if you have any problems with one of these just skip it and move on to the next one.

-AdwCleaner-

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[s1].txt as well.

-Junkware-Removal-Tool-

Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

When they are complete let me have the two reports and let me know how things are running.

Gringo

[solarblast]

Well, something is amiss here. I downloaded AdWCleaner, and it showed up as setup.exe. No programs were running. I executed it, and got a small window that called Download Helper. I clicked on something that brought up PC Fix Speed, which started an install. I tried to stop it, but it continued by telling me it was also installing 24x7 and AVGSafeguard. I managed to stop the installs, and then removed them successfully. A second try brought the same results, and I again uninstalled the three programs.

 

I picked up the program from <http://www.bleepingcomputer.com/download/adwcleaner/>, and used the Download program Now @BleepingComputer below Sponsored Ads.

 

BTW, I have a "good" copy of AdWCleaner.exe when I was trying to rid myself of EasyLifeAd.

[gringo_pr]

Hello solarblast

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.

• Link 1

  Link 2

  Link 3

1. Close any open browsers or any other programs that are open.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"

• In your next post I need the following
• Log from Combofix
• let me know of any problems you may have had
• How is the computer doing now?

Gringo

[solarblast]

Hello solarblast

I Would like you to do the following.

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

 

...

Gringo

 

Are you assuming that I have run my AdWCleaner.exe I got from another source rather than the one from Xplode mentioned above, and have completed the steps from JRT, including the posts of txt files?  Otherwise, this makes no sense.

[gringo_pr]

Hello

Because of the problems running it I decided to skip that step

Gringo

[solarblast]

If I disable security software, MSE in my case, how long do I need to disable it?  It seems I'm opening myself to trouble. I see no  instruction that says when to re-establish it.

 

As I downloaded Combofix.exe, I noticed it was being virus scanned by bleepingcomputer.com.  It is not installed on my PC. Is it just tempoararily used by the sUSBs downloader (Link 3)

[gringo_pr]

only disable your security software during the active scanning - as soon as the scan is done re-enable it

gringo

[solarblast]

I'm finished.  See log.

 

The only place I knew of that had an ad virus was in Amazon.There may be others, but I don't recall them, so can't verify if they have disappeared.  I believe the Amazon virus is called Window Shopper. See the jpg. If I hover around the pointer, a small window appears called Similar. If offers non-Amazon alternatives. It still persists. Googling: amazon window shopper virus, shows it is authentic.

 

A casual bit of Googling on buy and cursor hovering over the hits, shows no ad pop-ups. Perhaps you have a way of telling how ad viruses were removed by what we did here?

 

Otherwise, my PC seems to be working fine.

 

 

log.txt

[gringo_pr]

Hello solarblast

Lets get a deeper look into the system and lets see if something shows up.

Download and run OTL

Download OTL by Old Timer and save it to your Desktop.

• Double click on OTL.exe to run it.
• Under Output, ensure that Minimal Output is selected.
• Under Extra Registry section, select Use SafeList.
• Click the Scan All Users checkbox.
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened and the that I need posted back here
  • Extra.txt <-- Will be minimized - save this one on your desktop in case I ask for it later
• Please post the contents of OTL.txt in your next reply.

Gringo

[solarblast]

Here it is. I used MSE as described before.

ExtraS.txt is on my desktop.

OTL.Txt

[gringo_pr]

Hello solarblast

I would like you to run this custom script for me now and when it is complete please give me the report and a status update for the computer.

Run OTL Script

• Double-click OTL.exe to start the program.
• Copy and Paste the following code into the text box.

  :OTLFF - user.js - File not foundFF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF64_11_7_700_224.dll File not foundFF:[b]64bit:[/b] - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not foundFF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not foundO2 - BHO: (Wondershare Video Converter Ultimate) - {65DEE40A-3E93-4cae-9F98-B8E06DCEE2BF} - C:\Program Files (x86)\Wondershare\Video Converter Ultimate\SVRIEPlugin.dll File not foundO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)O18:[b]64bit:[/b] - Protocol\Handler\ms-help - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\ms-itss - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\skype4com - No CLSID value foundO18:[b]64bit:[/b] - Protocol\Handler\wlpg - No CLSID value foundO21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{40CE5DD4-1FFB-4001-8FCF-B29EA5DF8A63}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpdIE - HKLM\..\SearchScopes\{40CE5DD4-1FFB-4001-8FCF-B29EA5DF8A63}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpdIE - HKU\S-1-5-21-716105666-1754228386-2663804873-1001\..\SearchScopes\{0E319C5B-DD82-44EF-930E-CF3A8034ACC1}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3293216&CUI=UN11282537426618219&UM=2IE - HKU\S-1-5-21-716105666-1754228386-2663804873-1001\..\SearchScopes\{3B8E0C86-FC5B-4EAD-B41F-08BCAF9C602A}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3289847&CUI=UN26172917303099727&UM=2&SSPV=TB_C3IE - HKU\S-1-5-21-716105666-1754228386-2663804873-1001\..\SearchScopes\{40CE5DD4-1FFB-4001-8FCF-B29EA5DF8A63}: "URL" = http://www.ask.com/web?q={searchterms}&l=dis&o=ushpd[2013/01/13 21:12:34 | 000,000,000 | ---D | M] (SaveByclick) -- C:\Users\Wayne\AppData\Roaming\Mozilla\Firefox\Profiles\3mjlqxij.default\extensions\50ea4fa976276@50ea4fa9762b0.com  :Filesipconfig /flushdns /c:Commands[PURITY][emptyjava][EMPTYFLASH][reboot]

• Then click the Run Fix button at the top.
• Click .
• OTL may ask to reboot the machine. Please do so if asked.
• The report should appear in Notepad after the reboot.Copy and Paste that report in your next reply.

  Note** if the report does not popup after the computer reboots you can find it here in this folder - C:\_OTL\MovedFiles

  It will be named - mmddyyyy_hhmmss.log

  Where mmddyyyy_hhmmss - are numbers representing the date and time the fix was run.

Let me know How things are doing

Gringo

[solarblast]

Here's the txt file from OTL.