Jump to content

Recommended Posts

I purchased the premium version of malware so I could remove a virus called cleanserp. It takes over google and becomes the default search engine that redirects you to outside sources. When I searched on how to remove it, malwarebytes came up as the tool to use. I downloaded the free trial, and it found the virus.. however, I couldn't remove it without paying the premium membership. Now that I have done that and updated the software, it is no longer finding cleanserp to quarantine or remove. It's still on my computer and it's hiding. Why would the trial version find it and the premium version not? How can I get rid of it if the software won't recognize it? This is bogus and I'm really pissed that I just paid $40 and got nothing for it.  I want cleanserp off my machine. It came as a rider that attached itself to another download and set itself up as my google default search engine. I can't remove it, disable it, uninstall it, or make any other search engine my default. It has added another extension "unTabs" to my address bar and I can't get rid of that one either.  I need help or a refund so I can get a program that actually works.

Link to post
Share on other sites

Hello and Welcome...

For the record, the FREE version (which comes with a 14day Trial) will scan, detect and allow you to remove any items detected for FREE, you do not have to purchase to remove anything the FREE (even after the trial has expired) version detects, are you sure you are using the correct Malwarebytes?

Can you provide a screenshot of what your using?

Let's try and get some logs first so the team can review them and see if they can tell what may be causing your issues....

  1. If that does not correct the issue, then please read the following and attach to your next reply the 3 requested logs - Diagnostic Logs (the 3 logs are: mb-check-results.zip, FRST.txt, Addition.txt)

Please let us know how it goes.

Thank You,


Link to post
Share on other sites

The free version found it and quarantined it, but wouldn't delete it. When I tried, it said I had to "upgrade to premium" to actually delete it. So against my better judgement, I purchased the upgrade. Once I did, and I installed the full version, it no longer found the virus. Now, it finds the same "threats" on a daily basis (29 of them), and still no detection of cleanserp.  Here is a copy of the log for both malwarebytes and adwcleaner.  I also tried providing a screen shot of my startup page so you can see the address bar that now shows up instead of my usual google pages. I can't paste the copy of the screenshot.  In my address bar this comes up: https://secure-surf.net/  


-Log Details-
Scan Date: 6/26/17
Scan Time: 7:51 PM
Log File: 
Administrator: Yes

-Software Information-
Components Version: 1.0.141
Update Package Version: 1.0.2237
License: Premium

-System Information-
OS: Windows 10
CPU: x64
File System: NTFS
User: DAWN\Dawn

-Scan Summary-
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 381100
Threats Detected: 32
Threats Quarantined: 32
Time Elapsed: 5 min, 3 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 1
PUP.Optional.SpyHunter, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\SpyHunter, Quarantined, [944], [345850],1.0.2237

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 5
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1, Quarantined, [9234], [402906],1.0.2237

File: 26
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\mithril.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\moment.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\reset.min.css, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\sortable.min.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\assets\style.css, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\logo.svg, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\remove.svg, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-128px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-16px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_browser-icon-32px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-128px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-16px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-256px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-32px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-48px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\images\untabs_ext-icon-96px.png, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata\computed_hashes.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\_metadata\verified_contents.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\manifest.json, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\popup.html, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\popup.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs-ui.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs.html, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.unTabs, C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Extensions\pphnmcjolbjlahhdegnbnbhjbgnlceid\0.9.4_1\untabs.js, Quarantined, [9234], [402906],1.0.2237
PUP.Optional.SpyHunter, C:\USERS\DAWN\APPDATA\ROAMING\ENIGMA SOFTWARE GROUP\SH_INSTALLER.EXE, Quarantined, [944], [345850],1.0.2237
PUP.Optional.SpyHunter, C:\USERS\DAWN\DESKTOP\SPYHUNTER-INSTALLER.EXE, Quarantined, [944], [345850],1.0.2237

Physical Sector: 0
(No malicious items detected)


This is the same every day for the last 4 days.  In frustration, I tried spyhunter, which also detected cleanserp, and wanted me to pay to remove it, just like malwarebytes. It was recommended that I use malewarebytes instead, so I uninstalled spyhunter and stuck with the paid version of malwarebytes. I also tried using the adwcleaner that is part of malwarebytes. It did not remove cleanserp either.  Here is a copy of adwcleaner log:


# AdwCleaner v6.047 - Logfile created 26/06/2017 at 20:11:25
# Updated on 19/05/2017 by Malwarebytes
# Database : 2017-06-26.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Dawn - DAWN
# Running from : C:\Users\Dawn\Desktop\adwcleaner_6.047.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support

***** [ Services ] *****

Service Found:  CouponPrinterService
Service Found:  couponprinterservice

***** [ Folders ] *****

Folder Found:  C:\Users\Dawn\AppData\Roaming\Enigma Software Group
Folder Found:  C:\Program Files\Enigma Software Group
Folder Found:  C:\sh4ldr
Folder Found:  C:\ProgramData\apn
Folder Found:  C:\ProgramData\Trymedia
Folder Found:  C:\ProgramData\Application Data\apn
Folder Found:  C:\ProgramData\Application Data\Trymedia
Folder Found:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Coupons
Folder Found:  C:\Program Files (x86)\Coupons
Folder Found:  C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pphnmcjolbjlahhdegnbnbhjbgnlceid

***** [ Files ] *****

No malicious files found.

***** [ DLL ] *****

No malicious DLLs found.

***** [ WMI ] *****

No malicious keys found.

***** [ Shortcuts ] *****

Shortcut infected:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2Dclc4z2IsPyo%3D )
Shortcut infected:  C:\Users\Dawn\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2Dclc4z2
Shortcut infected:  C:\Users\Dawn\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk ( hxxps://launchpage.org/?uid=oTlCGGjMgxocXWGzMf4B590V%2F9qpTrFZc4fGn1E%2B5pZ0aM%2F3h8ZA1Q2D

***** [ Scheduled Tasks ] *****

No malicious task found.

***** [ Registry ] *****

Key Found:  HKLM\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found:  HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found:  HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
Key Found:  HKLM\SOFTWARE\Trymedia Systems
Key Found:  [x64] HKLM\SOFTWARE\EnigmaSoftwareGroup
Key Found:  HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\vosteran.com
Key Found:  [x64] HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\vosteran.com
Value Found:  [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32 [ApnTBMon]

***** [ Web browsers ] *****

No malicious Firefox based browser items found.
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - cigiagpbkapepgklncnajbakkpkopmam
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - majjphhgppkndjjkmhhnbgafooenebhd
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - pphnmcjolbjlahhdegnbnbhjbgnlceid
Chrome pref Found:  [C:\Users\Dawn\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - hxxp://search.conduit.com/?gd=&ctid=CT3323128&octid=EB_ORIGINAL_CTID&ISID=M581E26EB-97CD-4193-9A71-63CD013A5EE7&Searc

[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]


C:\AdwCleaner\AdwCleaner[S0].txt - [3878 Bytes] - [26/06/2017 20:11:25]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3951 Bytes] ##########

This virus has attached itself to Internet Explorer, which I haven't used on this device in years. 


Link to post
Share on other sites

2 hours ago, daggma1107 said:

The free version found it and quarantined it, but wouldn't delete it.

If its quarantined, then it can no longer harm your system as those quarantined files are encrypted.

That being said, looks like you shortcuts to your browsers have been hijacked as well.  Its probably going to be best to seek help from our experts (all done for free) to get the computer all cleaned up.  This work is done in a special section of the forum.  Simply follow the instructions below to get started.

So, for expert assistance, I suggest that you please follow the advice in this pinned topic: Available Assistance For Possibly Infected Computers.

It explains the options for free, expert help -->>AND<<-- the suggested, preliminary steps to expedite the process.
A malware analyst will assist you with looking into your issue.

Thank you

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.