Sign in to follow this  
BruceP

BROWSEFOX

Recommended Posts

Hi Bruce,

 

Please, save AdwCleaner by Xplode on the desktop: https://toolslib.net/downloads/viewdownload/1-adwcleaner/

Turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Log file button.
A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it's available as C:\AdwCleaner\AdwCleaner[R0].txt.

Share this post


Link to post
Share on other sites

Wow! When I tried to reply and the mailer daemon said that the email address doesn't exist. I'm trying to post to this forum right now but the adware is blocking all attempts I make to stay on this website long enough to submit the file. This is ridiculous. I got this message through on another computer.

Share this post


Link to post
Share on other sites

Also, on the computer that is infected, somehow it has blocked my ability to have permission to access the rest of my network so I cannot move the file over to this machine and send it to you. Any ideas on how to get you the requested information? The external drive I'm trying to write to is shared with all permissions granted to everyone. All other computers can write or read to or from the drive.

Share this post


Link to post
Share on other sites

Do you have a Flash Drive (thumb drive) or a rewriteable CD/DVD disc that you can move between the computers?

Or can you paste the content of the files on http://pastebin.com/ or upload the files to a file sharing site (e.g. OneDrive) with one of your browsers?

 

You can start with this fix that removes some pieces of the infection and see if you can do more afterwards:

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostAppUpdater.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
() C:\Program Files (x86)\snipsmart\bin\snipsmart.expext.exe
() C:\Program Files (x86)\snipsmart\bin\snipsmart.Plinx.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceHostApp.exe
(Pokki) C:\Users\Bruce\AppData\Local\SweetLabs App Platform\Engine\ServiceStartMenuIndexer.exe
ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF NetworkProxy: "no_proxies_on", "https://localhost, localhost, 127.0.0.1"
FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-12]
CHR Extension: (snipsmart) - C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\dolmieohajibablnfnfapnocdcdggijm [2016-04-02] [UpdateUrl: hxxp://wwwsnipsmartinfo-a.akamaihd.net/update/chrome] <==== ATTENTION
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
R2 Update snipsmart; C:\Program Files (x86)\snipsmart\updatesnipsmart.exe [650952 2016-04-11] ()
R2 Util snipsmart; C:\Program Files (x86)\snipsmart\bin\utilsnipsmart.exe [650952 2016-04-11] ()
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply, if possible.

 

Try to use AdwCleaner.

Share this post


Link to post
Share on other sites

You're supposed to reply here in the forum, not in a mail.

 

If you haven't followed my previous post yet, you don't need to do that.

 

1. Please, turn off all programs, including browsers.
Double-click on AdwCleaner to start the program.

Click on the Scan button.
Wait until the search has finished.

Click on the Clean button.

Click on OK.
Click on OK on any message that pops up.
The computer will be restarted.

A report will be displayed, copy its content and paste into your reply.
If the report isn't displayed, it exist as C:\AdwCleaner\AdwCleaner[s0].txt

 

2. Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Deselect Remove found threats (important due to false positives).

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

 

 

3. Start FRST.

Select Addition.txt.

Let the program scan and attach the two new log files.

Share this post


Link to post
Share on other sites

Please, start the FRST program that you used before starting this topic.

Share this post


Link to post
Share on other sites

Hi Cecilia,

 

Sorry for trying to reply to your email. When you said include the file in your reply, I thought that is what you meant.

 

After performing step 1 of your reply, a logfile was created called AdwCleaner[C1].txt The one with [s0] was not created. There were however, two files with a S in the square brackets, namely 1 & 2. Since I have three files and not one of them is named what you requested, I will include all three.

 

I will begin step 2 now.

AdwCleanerC1.txt

AdwCleanerS1.txt

AdwCleanerS2.txt

Share this post


Link to post
Share on other sites

Hi Bruce,

 

No need to apologize, I know it isn't easy to know how this forum works :)

 

Sorry, my mistake, I meant AdwCleanerC1.txt.

 

Please, continue with step 2 and 3.

Share this post


Link to post
Share on other sites

Hi Bruce,

1. Did you select Addition.txt after starting FRST program?
Please, try again.


2. From Eset's log file:
C:\Users\Bruce\Downloads\Firefox.exe Win32/OutBrowse.BK potentially unwanted application

Did you download Firefox from another website that the official one?


3. The following script will delete everything in the recycle bins and folders for temporary files. Please, check that you don't have anything you want to keep in those locations.

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
GroupPolicy: Restriction - Chrome <======= ATTENTION
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION
ProxyServer: [S-1-5-21-49056582-2604055794-1413308269-1001] => http=127.0.0.1:49897;https=127.0.0.1:49897
RemoveProxy:
FF user.js: detected! => C:\Users\Bruce\AppData\Roaming\Mozilla\Firefox\Profiles\4nhdq2q7.default\user.js [2016-04-13]
CHR HKLM\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [iikflkcanblccfahdhdonehdalibjnif] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ohhcpmplhhiiaoiddkfboafbhiknefdf] - hxxps://clients2.google.com/service/update2/crx
U2 TMAgent; no ImagePath
2016-04-09 18:03 - 2016-04-09 18:03 - 00772016 _____ (Reimage®) C:\Users\Bruce\Downloads\ReimageRepair.exe
CMD: ipconfig /flushdns
CMD: netsh winsock reset catalog
CMD: netsh int ip reset c:\resetlog.txt
EmptyTemp:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.


4. Since there are pieces of Symantec/Norton in the logs, I suggest that you run "Norton Removal Tool" to remove the left-overs.

Edited by CeciliaB

Share this post


Link to post
Share on other sites

Hi Cecilia,

 

1. I finally found the check box for Addition.txt in the FRST window. Please find it attached.

 

2. I don't know where I got Firefox anymore. I do remember attempting to make sure it was genuine though. They are pretty crafty. Anyway it doesn't really matter because I have noticed that the only browser that runs well in W10 is their new e Browser. So no problem getting rid of the firefox browser.

 

3. Starting on instructions from 3.

Addition.txt

Share this post


Link to post
Share on other sites

I also noticed that the Firefox installation date was on like 4/9/2016. I didn't install it this month I guarantee that.

Share this post


Link to post
Share on other sites

1. Fixlog.txt looks good.

 

 

2. The other browsers usually works well in Windows 10, too.

 

 

3. Only a few items to remove that I found in Addition.txt.

 

Please, start Notepad.
Copy all text that is in the box:

CreateRestorePoint:
CloseProcesses:
AlternateDataStreams: C:\Windows:CM_89c07002dadf5991f79468c90f37e2533d020b70e8e1912a4856e84326c08211 [74]
AlternateDataStreams: C:\Windows:CM_9857127c368ba16c1f274bd4bf1d16fff75f690c8aae941604d58b4b7d00c937 [74]
IE trusted site: HKU\.DEFAULT\...\webcompanion.com -> hxxp://webcompanion.com
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\localhost -> localhost
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\trendmicro.com -> hxxps://pwm.trendmicro.com
IE trusted site: HKU\S-1-5-21-49056582-2604055794-1413308269-1001\...\webcompanion.com -> hxxp://webcompanion.com
Reboot:
and paste in Notepad. Check that no files have been split on two lines.
Save the file as fixlist.txt on the desktop.

Exit all programs.
Start FRST, please.
Click the Fix button.
Wait until the tool has finished.

It creates a log file, called Fixlog.txt, on the desktop.
Please, paste the content of that file in your reply.

 

 

4. Any signs of browsefox, other adware or malware now?

If no, I'll give you the instruction for how to uninstall AdwCleaner and FRST.

Share this post


Link to post
Share on other sites

OK, so surfing with Chrome, a few minutes ago, a new tab came up with an opportunity for W10 PC repair. They show logos from Microsoft, McAfee, and Norton. I'm pretty sure it's an invite into the Adware spider's lair. Any comments?

Share this post


Link to post
Share on other sites

If you mean that it was only a single web site that created the new tab with W10 PC repair, it maybe was an ad on that web site.

You didn't attach FRST.txt but Fixlog.txt again.

Share this post


Link to post
Share on other sites

I see that you recently has installed a Chrome Extension called ShopAtHome.com and that extension is probably adware. Please, uninstall it: https://support.google.com/chrome_webstore/answer/2664769?hl=en

 

Did that help?

 

 

In Firefox, please check this Firefox configuration: https://support.mozilla.org/en-US/kb/advanced-panel-settings-in-firefox?redirectlocale=en-US&redirectslug=advanced-settings-browsing-network-updates-encryption#w_network-tab

Options - Advanced - Network

Settings for Connection

There should only be one entry in the field No Proxy For and select either No proxy or Use system proxy settings.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this