I need help with orphan BHO. Thank you

[WWE4Life]

Hi I am having trouble removing orphan BHO and also pum.searchpage. MalwareBytes did not detect it. HitmanPro detected it and said it removed it, but after restart  I scanned with roguekiller and the orphan BHO and pum.searchpage were still in the scan results. Thank you for your help and God Bless

FRST.txt

Addition.txt

[kevinf80]

Hello and welcome to Malwarebytes.org

 

P2P/Piracy Warning:

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here. Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Change the download folder setting in the default Browser so all tools we may use are saved to the Desktop:

 

Google Chrome - Click the "Customize and control Google Chrome" button in the upper right-corner of the browser.

Choose Settings. at the bottom of the screen click the

"Show advanced settings..." link. Scroll down to find the Downloads section and click the Change... button. Select your desktop and click OK.

 

Mozilla Firefox - Click the "Open Menu" button in the upper right-corner of the browser. Choose Options. In the downloads section, click the Browse button, click on the Desktop folder and the click the "Select Folder" button. Click OK to get out of the Options menu.

 

Internet Explorer - Click the Tools menu in the upper right-corner of the browser. Select View downloads. Select the Options link in the lower left of the window. Click Browse and select the Desktop and then choose the Select Folder button. Click OK to get out of the download options screen and then click Close to get out of the View Downloads screen.

NOTE: IE8 Does not support changing download locations in this manner. You will need to download the tool(s) to the default folder, usually Downloads, then copy them to the desktop.

 

Next,

 

Follow the instructions in the following link to show hidden files:

 

http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

 

Next,

 

Please open Malwarebytes Anti-Malware.

 

• 
  

On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
A Threat Scan will begin.
With some infections, you may see this message box.
 
        'Could not load DDA driver'
 
Click 'Yes' to this message, to allow the driver to load after a restart.
Allow the computer to restart. Continue with the rest of these instructions.
When the scan is complete, click Apply Actions.
Wait for the prompt to restart the computer to appear, then click on Yes.
After the restart once you are back at your desktop, open MBAM once more.

 

To get the log from Malwarebytes do the following:

 

• 
  

Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click Export > From export you have three options:
 
  Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
  Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
 
Recommend you use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

 

 

If Malwarebytes is not installed follow these instructions first:

 

Download Malwarebytes Anti-Malware to your desktop.

• 
  

Double-click mbam-setup and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to the following:
Launch Malwarebytes Anti-Malware
A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
Click Finish. Follow the instructions above....

 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

• 
  

Double click on Adwcleaner.exe to run the tool.
Click on Scan
Once the scan is done, click on the Clean button. <<<--- Ensure this option is completed
You will get a prompt asking to close all programs. Click OK.
Click OK again to reboot your computer.
A text file will open after the restart. Please post the content of that logfile in your reply.
You can also find the logfile at C:\AdwCleaner[sn].txt. Where n in the scan reference number

 

Next,

 

Please download Junkware Removal Tool to your desktop.

• 
  

Shut down your protection software now to avoid potential conflicts. (re-enable when done)
Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:

https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en'>https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

 

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window

In the "Scan Type" window, select Quick Scan

Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

 

1) Select the Windows key and R key together to open the "Run" function

2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

 

notepad c:\windows\debug\mrt.log

 

Post those logs, also let me know if any remaining issues or concerns...

 

 

 

Thank you,

 

Kevin...

[WWE4Life]

Hi Kevin,

 

Ok I will do all that now.

[WWE4Life]

Ok, when I tried to enter Run Line I got an error message saying "Windows can not find Run". It did not provide me with a Log after the Microsoft recovery tool scan was done. The scan found nothing.

 

I included the Logs from everything else The whole time my computer has been running great, but when RogueKiller found that stuff yesterday I knew something wasn't right, or maybe they were false positives. When I scanned with RogurKiller this morning in F8 it got rid of the BHO, but still found Orphan Toolbar, which is said was associated with Norton Toolbar, and also Pum. searchpage.

DesktopMalwarebytesresults1.txt

AdwCleanerS0.txt

JRT.txt

[kevinf80]

Thanks for the logs/update, run RogueKiller in normal mode as follows....

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/

 

• 
  

Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes select "Report", log will open. Close the program > Don't Fix anything!
Post back the report which should also be located here:

 

Let me see that log in your reply....

 

Thanks,

 

Kevin...

[WWE4Life]

G'day Kevin   Here's the log that you requested.

RKreport_SCN_05132015_003212.log

[kevinf80]

Double-click RogueKiller.exe to run again. (Vista/7/8 right-click and select Run as Administrator)

When "initializing/pre-scan" completes  press the Scan button, this may take a few minutes to complete.

When the scan completes open the Registry tab and locate the following detections:

[Orphan] (X86) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} : Norton Toolbar  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\S-1-5-21-3011760224-3171145470-2920118788-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : http://search.msn.com/spbasic.htm -> Found
[PUM.SearchPage] (X86) HKEY_USERS\S-1-5-21-3011760224-3171145470-2920118788-1000\Software\Microsoft\Internet Explorer\Main | Search Bar : http://search.msn.com/spbasic.htm  -> Found

Make sure those entries are Checkmarked (ticked) also ensure that all other entries if applicable, are not Checkmarked.

Hit the Delete button, when complete select "Report" post that log...

 

Let me see that log, also give an update on any remaining issues or concerns...

 

Thanks,

 

Kevin

[WWE4Life]

Here's the log

RKreport_DEL_05132015_090813.log

[kevinf80]

What is the current status of your system, any remaining issues or concerns?

[WWE4Life]

My system is running smoothly. It has no symptoms. Do you believe that what RogueKiller is detecting are false positives? The Orphan toolbar and pum.searchpage I mean. Also, do you believe AdBlockPlus is safe to use?

[kevinf80]

Yes Adblock Plus is essential and should be used, I only use Mozilla Firefox as my default browser with the following addons:

 

Adblock Plus.

Adblock Plus Pop-up Addon

Flash Block

Web of Trust.

Webutation.

 

To access Addons Manager with Firefox select these keys together Ctrl - Shift - A from there use the search function to locate necessary addons etc...

 

Next,

 

If you have no issues remaining run the following to clean up:

 

Download "Delfix by Xplode" and save it to your desktop.

 

Or use the following if first link is down:

 

"Delfix link mirror"

 

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

 

Make Sure the following items are checked:

 

 

• 
  

    Remove disinfection tools
    Purge System Restore <--- this will remove all previous restore points and create a fresh point relative to system status at present.
    Reset system settings

 

Now click on "Run" and wait patiently until the tool has completed.

 

The tool will create a log when it has completed. We don't need you to post this.

 

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following link to fully understand PC security and best practices, you may find it useful....

 

http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/#entry2316629

 

Let me know if we are ok to close out..

 

Thank you,

 

Kevin..

[WWE4Life]

Ok buddy I will install AdblockPlus for IE, or just switch to Firefox. Can you please answer me just a few questions before we close?

 

So are you saying to not worry about the orphan toolbar and pum.searchpage results in the RogueKiller scan?

 

Should I follow every single step mentioned here?  https://www.us-cert.gov/publications/securing-your-web-browser Or is it better to leave the IE security options at Med-High?  (I noticed when on High there are a lot or restrictions that interrupt internet activity.)

 

Should I disable Windows Defender so it does not interfere with my Anti-Virus program? 

 

I already have MalwareBytes, Malware Anti Exploit, and SuperAntiSpyware on my system also.

 

Thank you for your time and impressive level of PC knowledge

[kevinf80]

Regarding RogueKiller entries, do the entries you mention still show as present if you run a fresh scan? Orphan entries are just remnants from previous installed entry that has been removed,  will not cause no issues, is always good practice to remove them when not needed/used.

 

Widows Defender does not have an anti-virus component for Windows 7 and below, for Windows 8/8.1 it does... On your system (Windows 7) it will not interfere with your AV program.

If your versions of Malwarebytes and Super Anti Spyware are free versions with no realtime protection leave WD settings as they are, if MB or SAS are premium and have realtime protection fully disable WD.

 

IE default settings are Medium High, i`d leave that way if you use it. I just prefer Firefox.

 

Does that help?

 

If you are not fully conversant with RogueKiller probaly not a good idea to use it, specifically any delete function. Many found entries are not always malicious or infected....

 

Thank you,

 

Kevin...

[WWE4Life]

Yes, those same ones still show up, but now that I know that they're more less just false positives I'm not concerned with it anymore Right, I'm not that conversant with RogueKiller, well not enough to always know what is a threat, and what is not a threat. If I see Tr. next to it and it's red then obviously that it's a legitimate threat.

 

One last thing, why do you prefer Firefox instead of IE?

 

After you answer that you can close the thread I want to really thank you again for your time, and willingness to share your wide range of impressive knowledge. God Bless

[kevinf80]

Quote from well known site:

 

 

• Internet explorer is developed by Microsoft while Firefox is developed by Mozilla with the support from the community.

• Internet Explorer is a proprietary software but Firefox is an open source software.

• Internet Explorer has a very long history where the first version was released in 1995 while Firefox is not that much old where it was released in 2002.

• According to many sources, the performance of Internet Explorer is very much worse than Firefox. According to Six Revision’s Performance Comparisons of Web Browsers, in all aspects such as page loading time, CSS rendering, cache performance, JavaScript as well as DOM selection Internet explorer takes a huge time when compared to Firefox.

• Internet Explorer is only available for Windows operating system. However, Firefox can be installed on a variety of platforms including windows, Linux, Unix, Free BSD and Mac OS.

• Synchronization of settings, bookmarks and history on Internet Explorer happens via Microsoft Live accounts while in Firefox it happens with an account created especially for Firefox. However, the issue is due to the limitation of Internet Explorer to Windows one cannot synchronize between multiple devices under multiple platforms.

• Since Firefox extensions can be designed by the community it has a wide range of extensions, but for Internet Explorer that much amount of extensions is not available.

• Firefox being an open source software is much more customizable than Internet Explorer.

• Internet Explorer can be configured via Group Policy in Windows, but Firefox does not have this advantage.

• Firefox has an inbuilt pdf viewer that has a lot of capabilities, but on Internet Explorer a pdf viewer is not built in.

• Firefox allows multiple user logins via a technique called profiles to maintain different histories, bookmarks and settings. On Internet Explorer, this is not possible but can be achieved by creating a different windows user account.

• Internet Explorer has Windows Explorer like controls and operations for FTP, but Firefox FTP interface is not as nice as that on Internet Explorer.

• Internet Explorer integrates much better with Windows features such as Windows update, Desktop controls than Firefox.

• In windows operating systems, Internet Explorer is bundled with the operating system, but Firefox has to be separately installed.

• Firefox has a separate bar for search queries while Internet Explorer now has one bar that is used for both searches as well as the web address. However, the address bar in Firefox as well can be used for search queries.

• The default search engine in Firefox is Google, but it is Bing on Internet Explorer.

 

It is still down to personal choice and what we are used with. I use different Operating Systems to Windows such as Ubuntu and other Linux versions, Firefox works in those OS, IE is not compatible....

 

Take care and surf safe,

 

Kevin...

[WWE4Life]

Wow, thanks for sharing I tried to install Adblockplus for IE but once it installed it wasn't working. I even made sure it was enabled in add ons. I'll figure it out.

[kevinf80]

Let me know the outcome if you have time.... Will close out shortly....

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!