Jump to content

I've had these before, removed and back again

LadsW53
 Share

Recommended Posts

LadsW53

LadsW53

Posted
Posted

I'm pretty sure I know where these came from. I've done all the steps from two other Techs on here. My Malwarebytes Premium does not show these "potential malware". They showed up before and again today, using Malwarebytes AdwCleaner.

The only one I had before was PUP.Optional.Legacy. The others are new.

PUP.Optional.SweetPacks
PUP.Optional.Photor
PUP.Optional.Legacy
PUP.Optional.Bettersearch

AdwCleaner states it has removed all but "Not Deleted   HKU\S-1-5-21-171530419-2049931822-3861400332-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\zonemap\domains\favorit-network.com"

Of course, none of them have been permanently removed. Any help will be greatly appreciated.

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This could be a Syncing issue?

Are you Syncing Chrome with other devices?
To remove it you will have to reset the Sync in Chrome.

Read this article and proceed.

Chrome Secure Preferences detection always comes back
https://forums.malwarebytes.com/topic/214325-chrome-secure-preferences-detection-always-comes-back/

Restart the computer when completed.
<<<>>>

If the problem is again reported by Malwarebytes or AdwCleaner please run this problem.

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.
Click Attach this file.
Click the Add reply button.
===

Please post the logs  for my review.


 

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq, thank you for your help with this.

- This is not a syncing issue. I have nothing syncing with Chrome or with any other devices. 
- I read the article prior to the new thread. I've done everything on that page except for the very bottom. Malwarebytes Premium (it is current) will not allow me to type in those files. That is why I started the new thread.
 

FRST.txt

Addition.txt

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hello, Welcome to Malwarebytes.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

This will clean all your ZoneMaps.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]

Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.

Restart the computer normally.

===

p.s.
Do this community a favour.

Report this bad site to Malwarebytes.

# Support: https://www.malwarebytes.com/support

I's sure that the site will be added to the next version of the program.

Or DO NOT RUN THIS FIX and report it now to Malwarebytes.
The new version will be released soon.

===

Let me know if the problem persists.

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Good day nasdaq,

I followed your instructions and when I went to merge this is what messages I received...

Registry Editor message "Adding information can unintentionally change or delete values and cause components to stop working correctly. If you do not trust the source of this information in C:\name\Desktop\fixme.reg, do not add it to the registry. Are you sure you want to continue? Answered Yes.

Registry Editor response? Cannot import C:\Users\name\Desktop\fixme.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor.

What do I do next? Thanks.

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq, well it worked running it as an administrator. All of my scans were clean yesterday. However, I still couldn't open any of my files normally. I notice the "cmd" is still there when I double click on the folder I want to open. I was surprised when I did my scan for AdwCleaner this morning and all of the PUPS were detected again. I have attached yesterday's AdwCleaner scan, as well as, today's.

This morning was interesting to say the least. When I got to scanning HitmanPro, I noticed once again it said that the Farbar Recovery Tool was detected as potential malware. I had it quarantined since day 1. I decided since my scans yesterday were clean I would go ahead and delete it. Well, I couldn't do anything after that. I couldn't get access to the internet, couldn't complete a system restore (I tried 3x's). I tried everything, no go. I looked at the time of the HitmanPro scan and the time on the system restore. It looked like the time was not before the scan so I didn't use that date. I tried it anyway and the restore finally completed with no problem just as if I hadn't done anything. 

So now it seems I'm back to square 1.

BTW, I don't have any of these "Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed." Should I?

Adwcleaner scan for 7.24.txt

Adwcleaner scan for 7.23.txt

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq, well it worked running it as an administrator. All of my scans were clean yesterday. However, I still couldn't open any of my files normally. I notice the "cmd" is still there when I double click on the folder I want to open. I was surprised when I did my scan for AdwCleaner this morning and all of the PUPS were detected again. I have attached yesterday's AdwCleaner scan, as well as, today's.

This morning was interesting to say the least. When I got to scanning HitmanPro, I noticed once again it said that the Farbar Recovery Tool was detected as potential malware. I had it quarantined since day 1. I decided since my scans yesterday were clean I would go ahead and delete it. Well, I couldn't do anything after that. I couldn't get access to the internet, couldn't complete a system restore (I tried 3x's). I tried everything, no go. I looked at the time of the HitmanPro scan and the time on the system restore. It looked like the time was not before the scan so I didn't use that date. I tried it anyway and the restore finally completed with no problem just as if I hadn't done anything. 

So now it seems I'm back to square 1.

BTW, I don't have any of these "Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed." Should I?

Adwcleaner scan for 7.24.txt

Adwcleaner scan for 7.23.txt

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq, well it worked running it as an administrator. All of my scans were clean yesterday. However, I still couldn't open any of my files normally. I notice the "cmd" is still there when I double click on the folder I want to open. I was surprised when I did my scan for AdwCleaner this morning and all of the PUPS were detected again. I have attached yesterday's AdwCleaner scan, as well as, today's.

This morning was interesting to say the least. When I got to scanning HitmanPro, I noticed once again it said that the Farbar Recovery Tool was detected as potential malware. I had it quarantined since day 1. I decided since my scans yesterday were clean I would go ahead and delete it. Well, I couldn't do anything after that. I couldn't get access to the internet, couldn't complete a system restore (I tried 3x's). I tried everything, no go. I looked at the time of the HitmanPro scan and the time on the system restore. It looked like the time was not before the scan so I didn't use that date. I tried it anyway and the restore finally completed with no problem just as if I hadn't done anything. 

So now it seems I'm back to square 1.

BTW, I don't have any of these "Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed." Should I?

Adwcleaner scan for 7.24.txt

Adwcleaner scan for 7.23.txt

Link to post
Share on other sites
nasdaq

nasdaq

Posted
Posted

Hi

When I got to scanning HitmanPro, I noticed once again it said that the Farbar Recovery Tool was detected as potential malware. I had it quarantined since day 1

If the file was quarantined and you can possibly restore it.

If not Disable HitmanPro and download the file .

Enable HitmanPro when the download is completed.

Scan the computer with the Farbar program and post fresh FRST and Addition.txt logs for my review.


Run this program also.

  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED  
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.


=======
Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq,

I misspoke, I didn't quarantine Farbar I just "ignored" it. Yes, I was able to 'system restore' and got everything back. 

I did everything you instructed me to do. However, when I tried to send this to you a message came up saying that there was wording that could mean malware and wouldn't let me send it. Do you want me to send the scans as an attached file?

 


 

FRST.txt

Addition.txt

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq,

I misspoke, I didn't quarantine Farbar I just "ignored" it. Yes, I was able to 'system restore' and got everything back. 

I did everything you instructed me to do. However, when I tried to send this to you a message came up saying that there was wording that could mean malware and wouldn't let me send it. Do you want me to send the scans as an attached file?

 


 

FRST.txt

Addition.txt

Link to post
Share on other sites
LadsW53

LadsW53

Posted
  • Author
Posted

Hi nasdaq,

I misspoke, I didn't quarantine Farbar I just "ignored" it. Yes, I was able to 'system restore' and got everything back. 

I did everything you instructed me to do. However, when I tried to send this to you a message came up saying that there was wording that could mean malware and wouldn't let me send it. Do you want me to send the scans as an attached file?

 


 

FRST.txt

Addition.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.