adware i cant get rid of

[ihateverything]

when running frst64 i get an error that says "Subscript used on non-accessible variable."

 

it doesnt create the addition text file 

FRST.txt

[MrCharlie]

Please re-scan with FRST (it will automatically update to the latest version) and Make sure the Addition Box is checked.

http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png

Post or attach the 2 logs FRST.txt and Addition.txt

 

MrC

[ihateverything]

 

I cant get it to create the addition file

 

This error keeps coming up and I cant find a fix for this error online anywhere either

[MrCharlie]

Download, unzip and try the attached version.

 

MrC

FRST64.zip

[ihateverything]

that worked

FRST.txt

Addition.txt

[MrCharlie]

Please upload this file to VirusTotal for a free scan.
Let me know the results...just copy back the URL.
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.

C:\Windows\wnavga.exe

===============================

Download the attached fixlist.txt to the same folder as FRST.exe/FRST64.exe.
Run FRST.exe/FRST64.exe and click Fix only once and wait
The tool will create a log (Fixlog.txt) in the folder, please post it to your reply.

==============================

Please re-scan with FRST and Make sure the Addition Box is checked.
http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png
Post or attach the 2 logs FRST.txt and Addition.txt

MrC

fixlist.txt

[ihateverything]

https://www.virustotal.com/en/file/263a9dfec5ed62dc0f69caf5e39ce2775e8ad8bd791150d154d043b135d7f48f/analysis/1442105876/​

 

 

Fixlog.txt

FRST.txt

Addition.txt

[ihateverything]

https://www.virustotal.com/en/file/263a9dfec5ed62dc0f69caf5e39ce2775e8ad8bd791150d154d043b135d7f48f/analysis/1442110254/

​

these links dont work well

[MrCharlie]

How is it????

MrC

[ihateverything]

Im getting weird like popups that open new tabs when i start chrome or search things and my netflix doesnt work in chrome either (followed the netflix error code guide but it didnt fix it) but it was working before all this

 

Im going to try to get screenshots of these windows next time it happens

[MrCharlie]

OK...sounds like it in Chrome.

First try this:

Open up Chrome by clicking on the 3 bars in the upper right hand corner.

Then in Chrome go to Tools > > Extensions > Make sure the Developer Mode box is checked in the upper right hand corner > uncheck all the extensions and see if that makes a difference.

Then...........

Please download AdwCleaner from HERE or HERE to your desktop.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• When it's done you'll see: Pending: Please uncheck elements you don't want removed.
• Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
• Look over the log especially under Files/Folders for any program that may have been targeted by mistake.
• If there's a program you may want to save, just uncheck it from AdwCleaner.
• If you're not sure, post the log for review. (all items found are either adware/spyware/foistware)
• If you're ready to clean it all up.....click the Clean button.
• After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
• Copy and paste the contents of that logfile in your next reply.
• A copy of that logfile will also be saved in the C:\AdwCleaner folder.
• Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
• To restore an item that has been deleted:
• Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

MrC

[ihateverything]

# AdwCleaner v5.007 - Logfile created 14/09/2015 at 14:32:15

# Updated 08/09/2015 by Xplode

# Database : 2015-09-10.1 [server]

# Operating system : Windows 10 Home  (x64)

# Username : MDEWMAN - KOOLMAN

# Running from : C:\Users\MDEWMAN\Downloads\AdwCleaner (2).exe

# Option : Cleaning

# Support : http://toolslib.net/forum

 

***** [ Services ] *****

 

 

***** [ Folders ] *****

 

[-] Folder Deleted : C:\Program Files (x86)\globalUpdate

[-] Folder Deleted : C:\Program Files (x86)\Lightspark 0.5.3-git

[-] Folder Deleted : C:\Program Files (x86)\predm

[-] Folder Deleted : C:\Program Files (x86)\StartPoint

[-] Folder Deleted : C:\Program Files (x86)\OLBPre

[-] Folder Deleted : C:\Program Files (x86)\Music App

[-] Folder Deleted : C:\ProgramData\BoostSoftware

[-] Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Lightspark 0.5.3-git

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Local\globalUpdate

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Local\Updater

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Local\BrowserHelper

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Local\StormFall

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\LocalLow\imeshmusicboxtoolbarnew

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Roaming\DigitalSites

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Roaming\Search Protection

[-] Folder Deleted : C:\Users\MDEWMAN\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Games Bot

[-] Folder Deleted : C:\Users\Public\Documents\Goobzo

 

***** [ Files ] *****

 

[-] File Deleted : C:\WINDOWS\mlwps.exe

 

***** [ Shortcuts ] *****

 

 

***** [ Scheduled tasks ] *****

 

 

***** [ Registry ] *****

 

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\NCTAudioCDGrabber2.DLL

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\ShopperPro.DLL

[-] Key Deleted : HKLM\SOFTWARE\Classes\iMesh.AudioCD

[-] Key Deleted : HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\SysMenuExt

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\SysMenu.DLL

[-] Key Deleted : HKLM\SOFTWARE\Classes\pc-mechanic

[-] Key Deleted : HKLM\SOFTWARE\Classes\ChromaticHTM

[-] Key Deleted : HKLM\SOFTWARE\56c262d7-8bab-4a8c-a3b0-76db8616fec0

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{58FDA6AF-67D8-4198-B7CD-94B17532C8D5}

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D813D5BB-EBC7-45F9-B8A4-36A305168069}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3278F5CF-48F3-4253-A6BB-004CE84AF492}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{35B8892D-C3FB-4D88-990D-31DB2EBD72BD}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3B5702BA-7F4C-4D1A-B026-1E9A01D43978}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{3BF72F68-72D8-461D-A884-329D936C5581}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{577975B8-C40E-43E6-B0DE-4C6B44088B52}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5EB0259D-AB79-4AE6-A6E6-24FFE21C3DA4}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{69F256DF-BA98-45E9-86EA-FC3CFECF9D30}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6E87FC94-9866-49B9-8E93-5736D6DE3DD7}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{78E9D883-93CD-4072-BEF3-38EE581E2839}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{7E49F793-B3CD-4BF7-8419-B34B8BD30E61}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{834469E3-CA2B-4F21-A5CA-4F6F4DBCDE87}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{83AC1413-FCE4-4A46-9DD5-4F31F306E71F}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{8529FAA3-5BFD-43C1-AB35-B53C4B96C6E5}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ADBC39BE-3D20-4333-8D99-E91EB1B62474}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CADAF6BE-BF50-4669-8BFD-C27BD4E6181B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E06CA7F5-BA34-4FF6-8D24-B1BDC594D91F}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F6421EE5-A5BE-4D31-81D5-C16B7BF48E4C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{FD8E81D0-F5FE-4CB1-9AEA-1E163D2BAB78}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{6EDBF8C0-C94C-4A13-956F-E393BCA5BA4B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{82351441-9094-11D1-A24B-00A0C932C7DF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{5D637FAD-E202-48D1-8F18-5B9C459BD1E3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}

[-] Key Deleted : HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{93E3D79C-0786-48FF-9329-93BC9F6DC2B3}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C4C4F1F4-3074-4CB6-9FB8-0A64273166F0}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{82351433-9094-11D1-A24B-00A0C932C7DF}

[-] Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{81CA8FCD-1420-4A07-B47D-B30F3DDA79E1}

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7C3B01BC-53A5-48A0-A43B-0C67731134B9}

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5E89ACE9-E16B-499A-87B4-0DBF742404C1}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{020B1D4B-5738-4C77-9E19-4F173DD9B486}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{2BEF239C-752E-4001-8048-F256E0D8CD93}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3F607E46-0D3C-4442-B1DE-DE7FA4768F5C}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{49C00A51-6E59-41FE-B3FA-2D2157FAD67B}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{6DFF5DBA-AE3A-46DB-B301-ECFFC6DB2982}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{DE34CD67-F1C8-4001-9A23-B8A68F63F377}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{FE0273D1-99DF-4AC0-87D5-1371C6271785}

[-] Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}

[-] Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC865B26-C31D-4D23-B17B-96548EEF03F6}

[-] Key Deleted : HKU\.DEFAULT\Software\Goobzo

[-] Key Deleted : HKU\.DEFAULT\Software\PennyBee

[-] Key Deleted : HKU\.DEFAULT\Software\GeekBuddyRSP

[-] Key Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Compete

[-] Key Deleted : HKCU\Software\Brothersoft

[-] Key Deleted : HKCU\Software\GlobalUpdate

[-] Key Deleted : HKCU\Software\Goobzo

[-] Key Deleted : HKCU\Software\Imesh

[-] Key Deleted : HKCU\Software\InstalledBrowserExtensions

[-] Key Deleted : HKCU\Software\Chromatic

[-] Key Deleted : HKLM\SOFTWARE\AppDataLow\SOFTWARE\_CrossriderRegNamePlaceHolder_

[-] Key Deleted : HKLM\SOFTWARE\GlobalUpdate

[-] Key Deleted : HKLM\SOFTWARE\Goobzo

[-] Key Deleted : HKLM\SOFTWARE\InstalledBrowserExtensions

[-] Key Deleted : HKLM\SOFTWARE\Lightspark Team

[-] Key Deleted : HKLM\SOFTWARE\Uniblue

[-] Key Deleted : HKLM\SOFTWARE\BoostSoftware

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Lightspark

[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7ADF667E-E14D-4D2C-827C-B0108F0D93BC}

[!] Key Not Deleted : [x64] HKCU\Software\Brothersoft

[!] Key Not Deleted : [x64] HKCU\Software\GlobalUpdate

[!] Key Not Deleted : [x64] HKCU\Software\Goobzo

[!] Key Not Deleted : [x64] HKCU\Software\Imesh

[!] Key Not Deleted : [x64] HKCU\Software\InstalledBrowserExtensions

[!] Key Not Deleted : [x64] HKCU\Software\Chromatic

[-] Key Deleted : [x64] HKLM\SOFTWARE\InstalledBrowserExtensions

[-] Key Deleted : [x64] HKLM\SOFTWARE\YTDownloader

[!] Key Not Deleted : HKU\.DEFAULT\Software\AppDataLow\Software\Compete

[!] Key Not Deleted : HKU\S-1-5-18\Software\AppDataLow\Software\Compete

 

***** [ Web browsers ] *****

 

[-] [C:\Users\MDEWMAN\AppData\Roaming\Mozilla\Firefox\Profiles\69h66f3e.default\prefs.js] [Preference] Deleted : user_pref("extensions.a14fef81ee28d4335a493c2d6383fd42ff9b4872bccb5bcom70121.70121.internaldb.Resources_meta.value", "%7B%22handlebars.js%22%3A%7B%22id%22%3A980195%2C%22ver%22%3A1%2C%22status%22%3A1%2[...]

[-] [C:\Users\MDEWMAN\AppData\Roaming\Mozilla\Firefox\Profiles\69h66f3e.default\prefs.js] [Preference] Deleted : user_pref("extensions.a14fef81ee28d4335a493c2d6383fd42ff9b4872bccb5bcom70121.70121.internaldb.Resources_resource_980204.value", "%22function%20startAskCom%28e%2Ct%2Cr%29%7Bfunction%20a%28e%29%7Bvar%20[...]

[-] [C:\Users\MDEWMAN\AppData\Roaming\Mozilla\Firefox\Profiles\69h66f3e.default\prefs.js] [Preference] Deleted : user_pref("extensions.a14fef81ee28d4335a493c2d6383fd42ff9b4872bccb5bcom70121.70121.internaldb.monetization_plugin_bundledUrls.value", "%7B%22dealply_s%22%3A%7B%22urls%22%3A%5B%22ssfiles.com%22%5D%7D%2[...]

 

*************************

 

:: Winsock settings cleared

 

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [9110 bytes] ##########

[MrCharlie]

How is it????

 

MrC

[ihateverything]

after the adwcleaner + all extensions disabled the popups are still there its weird

 

here are screenshots of some

 

[MrCharlie]

Please download and run AVAST-Browser-Cleanup: (let it clean what it finds)
http://files.avast.com/files/tools/avast-browser-cleanup.exe<----AVAST browser cleanup

if still no good...........

1. Download and run this tool (Software removal tool), immediately it will start searching for suspicious programs on your computer and then shows a message how many programs it found.
https://www.google.com/chrome/srt/

2. Click ‘Remove suspicious programs ‘and wait for the tool to show ‘removal complete’ message.

3. Click ‘Continue’ to quit the tool (you may be prompted to restart your computer, do so)

Make sure you don't skip this step!!!!!
4. After that, Chrome will automatically open and asks to reset browser settings, click ‘Reset’.

Let me know.....MrC

[ihateverything]

damn, i ran both and both of them found nothing

[MrCharlie]

You reset Chrome...correct?

Please re-scan with FRST and Make sure the Addition Box is checked.

http://www.fixitpc.pl/picasso/images/malware/tools/frst/frst_win05.png

Post or attach the 2 logs FRST.txt and Addition.txt

MrC

[ihateverything]

FRST.txtAddition.txt

[ihateverything]

yes chrome was reset

[MrCharlie]

See if you can uninstall this program:
globalupdate Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.0 - globalupdate Inc.) <==== ATTENTION

=============================================

See if you can use your task manager to end task on this file:
C:\Windows\wnavga.exe

See if that make a difference
and......
Do you recognize it:
R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]

=============================================

Download zoek.exe to your Desktop:
http://hijackthis.nl/smeenk/

Disable your AntiVirus and AntiSpyware programs, so they do not interfere with the running of Zoek.exe. You can find instructions how to disable your security applications Here
http://www.bleepingcomputer.com/forums/topic114351.html

On Windows Vista, 7, and 8, right-click Zoek.exe and select: Run as Administrator
Give it a few seconds to appear

Next, copy/paste the entire script inside the codebox below to the input field of Zoek:


autoclean;
emptyalltemp;
CHRdefaults;
ipconfig /flushdns;b

 

Now...
Close any open programs.
Click the Run script button, and wait. It takes a few minutes to run.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

MrC

[ihateverything]

I uninstalled globalupdate helper

 

I can end task on wnavga.exe but it comes back 3 seconds later, I found out that if i end task on this thing called usinjector service which is running windows graphics accelerator the wnavga.exe process goes away permanently, however i dont think this is the problem as doing this totally breaks chrome and it gives me a proxy error message and doesnt work at all (have to restart to get chrome to work after that it seems)

 

I did zoek, here are results

zoek-results.txt

 

still getting the popups though

[MrCharlie]

This is happening in Chrome only...correct????

Please clean your cache, history, and other browser data:

https://support.google.com/chrome/answer/95582?hl=en

======================================

I don't think we missed anything so far as malware but lets run this scanner: (we may have to re-install Chrome)

Please run a free online scan with the ESET Online Scanner (it may take a while to run)

Note: You will need to use Internet Explorer for this scan.

First please Disable any Antivirus you have active, as shown in This Topic

FAQ

Note: Don't forget to re-enable it after the scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats is unchecked and the option Scan unsafe applications is checked

Click Advanced settings and select the following:

Click Start

Wait for the scan to finish

If threats were found:

Click on "list of threats found"

Click on "export to text file" and save it as ESET SCAN and save to the desktop

Click on back

Put a checkmark in "Uninstall application on close"

Click on finish

Post back the log.....MrC

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!