Jump to content

Unable to remove Superfish


Recommended Posts

Hello,

 

Fist a bit of background: I've tried basically every tool around (even purchased Malwarebytes premium but still no avail) and got to the point where i lost all hope. Did a full format and reinstalled Windows just to see, to my dismay, that this infection wouldn't go away. After the first format everything went ok, until i tried to access my 2 favorite pages: 9gag.com and the steam store page.

 

Not sure if this is what really triggers the infection, but im baffled and at a loss here. I got to the point where i tried to use my laptop to work around this problem just to be greeted by the same popups and iframe injections than in the pc (even after doing a full format and reinstalling windows too!!)

 

So, this is my last hope to try to defeat this dammed infection, hopefully there would be a cure.

 

-A very stressed out guy.

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello,
    
 
They call me TwinHeadedEagle around here, and I'll be working with you.
 
     
    
Before we start please read and note the following:

  • Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
  • Please be patient. I know it is frustrating when your PC isn't working properly, but malware removal takes time.
  • Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
  • Do not paste the logs in your posts, attachments make my work easier. There is a More reply options button, that gives you Upload Files option below which you can use to attach your reports. Always attach reports from all tools.
  • Always execute my instructions in given order. If for some reason you cannot completely follow one instruction, inform me about that.
  • Stay with me to the end, the absence of symptoms doesn't mean that your machine is fully operational.
  • Note that we may live in totally different time zones, what may cause some delays between answers.
  • Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
  • If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

:excl: I can't foresee everything, so if anything unexpected happens, please stop and inform me!
:excl: There are no silly questions. Never be afraid to ask if in doubt!
 
 
 
  warning.gif Rules and policies
 
We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!
 
Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.
 
 
 
 

51a612a8b27e2-Zoek.png Scan with ZOEK
 
Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b
  • Right-click on 51a612a8b27e2-Zoek.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

Link to post
Share on other sites

Does it happen in all browsers?
 
 
51a46ae42d560-malwarebytes_anti_malware. Scan with Malwarebytes' Anti-Malware
 
Please re-run 51a46ae42d560-malwarebytes_anti_malware. Malwarebytes' Anti-Malware.

  • First of all, select update.
  • Once updated, click the Settings tab, in the left panel choose Detection & Protection and tick Scan for rootkits.
  • Click the Scan tab, choose Threat Scan is checked and click Scan Now.
  • If threats are detected, click the Apply Actions button. You will now be prompted to reboot. Click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the newest Scan Log.
  • At the bottom click Export and choose Text file.

Save the file to your desktop and include its content in your next reply.
 
 
 
 
 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

Not all websites but it does happen on both browsers i have installed. Anyway, tried again a full format using a different version of win 7, and seems to be ok, although i did saw that when i tried to access Steam (http://store.steampowered.com) it was waiting for a conection to dns.cloudscout.com or something like that, but i terminated the connection before the page was fully loaded just in case this is the reason for the infection persisting.

 

I'll give you another update this evening.

 

Thanks again.

Link to post
Share on other sites

Can you make a picture of pop-up? Does it pop-up on all websites?
 
 
FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

It happens mostly on the page in screenshot, but so far i saw that it happens on other pages like bestbuy.com or amazon (basically every page with a div to inject). I tried something else and got it to stop, using the settings on chrome i blocked content and javascript for the following hostnames:

  • [*.]cloudguard.me
  • [*.]superfish.com
  • www.superfish.com
  • [*.]cloudscout.moko24.com
  • [*.]cloudscout

And by doing this, it stopped. But the moment i allow this content or remove the blocking settings, it comes back, so i suppose there must be a registry injecting code to my pages or something like that.

Addition.txt

FRST.txt

post-181367-0-04512800-1421212023_thumb.

Link to post
Share on other sites

Quite sure, and did it several times. And i also think i found the culprit: the only common things between the laptop and the Pc when i did the full reinstall were the antivirus, the updates and the steam client. At one point i was able to get rid of the malware, hence the "i think its ok now" but to see it come back after some hours. On the course of past couple of days (and after getting a corrupted hard drive tables or something like that because of my fumbling around the registry) did a new reinstall but now abstaining of installing steam. Well, it worked, no more superfish.

 

After some reasoning i figured that there was something within steam that was driving the malware into my system, the posibilities were that (since its a program that syncs data between systems) somehow the malware was bouncing between Pc and laptop at some point, ruled that one out after full formats and erasing all data. Still the malware came back.

 

Then it occurred to me that maybe the server data was infected, and syncing with my account was the way in. So i tried to erase the data from server, and still was no good.

 

After some more thought and searching around other forums for hacked accounts, and did something that i should've done since the beginning: changing my password. By doing that, every other site i've visited and logged in was signed out and effectively cut off all data transmission, which did the trick. Not sure which site could have done the infection, but so far so good for me since i don't have that nasty malware anymore. I'm still testing and monitoring the cookies and traffic from my system and if there are any news i'll give this thread another update.

 

I'm writing all this in hope that maybe it would help you help someone else in the future and spare him the frustration i went through with this. Anyway, thanks again for all the help and keep up the good work. Cheers.

 

Mechelada-cerveza-corona.jpg

(Mexican Beer, mexican style)

Link to post
Share on other sites

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please upload them into your next reply.

Link to post
Share on other sites

Here ya go.

 

i'm getting some info on web atacks by norton, here it is:

 

Category: Intrusion Prevention
Date & Time
17/01/2015 12:30:10 p.m.

Risk

High

Activity

An intrusion attempt by 50.97.54.226 was blocked.

Status

Blocked

Recommended Action

No Action Required

IPS Alert Name

Web Attack:PUP/Adware/Fake Application Download 4

Default Action

No Action Required

Action Taken

No Action Required

Attacking Computer

"50.97.54.226, 80"

Attacker URL

"t.cttsrv.com/jstex.js?

callback=jQuery19102709830154849294_1421519410431&d=DP3070NTAAAA&i=&p=0&s=1024x768&u=http://www.majorgeeks.com/files/details/farbar_recovery_scan_tool_(frst)_64_bit.html&_=1421519410433"

Destination Address

"DANTE-PC (192.168.0.2, 51711)"

Source Address

50.97.54.226

Traffic Description

"TCP, www-http"
Network traffic from <b>t.cttsrv.com/jstex.js?callback=jQuery19102709830154849294_1421519410431&d=DP3070NTAAAA&i=&p=0&s=1024x768&u=http://www.majorgeeks.com/files/details/farbar_recovery_scan_tool_(frst)_64_bit.html&_=1421519410433</b>matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\INTERNET EXPLORER\IEXPLORE.EXE. 

 

Addition.txt

FRST.txt

Link to post
Share on other sites

warning.gif Multiple Resident Protection warning!
 
Always have one (and no more than one!) AntiVirus program! In this case having more of them will not provide you with better protection - instead they may cause slowness, lock-ups and even mark another ones as harmful, leading to leave your system unstable and even damaged. Please choose only one from the listed below to stay with and uninstall the others:

  • avast Free Antivirus
  • Norton Internet Security

Uninstallation procedure:

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for each uninstalled entry, right-click it and select Uninstall.

This should be done until any other steps will be taken.
 
 
 
 
FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif

 
Download attached fixlist.txt file and save it to the Desktop:
 
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please post it to your reply.

fixlist.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.