How so I remove AdChoices?

Status
Not open for further replies.
Hi Gary,

Please run FRST and SystemLook on the original machine being worked on.

We can return to the Windows 7 Pro laptop later.

-------

I'm fairly confident I now know the source of this issue, but will wait until I see the two logs.
 
Hi Adam,
Here is the Frst reply:

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-12-2014 02
Ran by Gary at 2014-12-08 14:03:29 Run:3
Running from C:\Users\Gary\Documents\Desktop
Loaded Profile: Gary (Available profiles: Gary)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
HKLM-x32\...\Run: [] => [X]
CHR StartupUrls: Default -> "hxxp://search.iminent.com/", "hxxp://www.google.com/"
2014-12-02 14:53 - 2014-12-02 14:53 - 00000000 __SHD () C:\Users\Gary\AppData\Local\EmieBrowserModeList
2014-11-28 05:59 - 2014-11-28 06:12 - 00000213 _____ () C:\prefs.js
2014-11-28 05:59 - 2014-11-28 06:12 - 00000000 ____D () C:\searchplugins
2014-11-28 05:59 - 2014-11-28 05:59 - 00004688 _____ () C:\Windows\SysWOW64\LavasoftTcpService.ini
2014-11-28 05:59 - 2014-11-28 05:59 - 00002520 _____ () C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini
2014-11-28 05:59 - 2014-11-28 05:59 - 00002520 _____ () C:\Windows\system32\LavasoftTcpServiceOff.ini
2014-11-28 05:59 - 2014-11-28 05:59 - 00000000 ____D () C:\Users\Gary\AppData\Roaming\LavasoftStatistics
2014-11-28 05:59 - 2014-11-27 10:44 - 00358736 _____ (Lavasoft Limited) C:\Windows\system32\LavasoftTcpService64.dll
2014-11-28 05:59 - 2014-11-27 10:44 - 00312424 _____ (Lavasoft Limited) C:\Windows\SysWOW64\LavasoftTcpService.dll
CMD: ipconfig /flushdns
CMD: netsh winsock reset all
CMD: netsh int ipv4 reset
CMD: netsh int ipv6 reset
EmptyTemp:
end
*****************

HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
Chrome StartupUrls deleted successfully.
C:\Users\Gary\AppData\Local\EmieBrowserModeList => Moved successfully.
C:\prefs.js => Moved successfully.
C:\searchplugins => Moved successfully.
C:\Windows\SysWOW64\LavasoftTcpService.ini => Moved successfully.
C:\Windows\SysWOW64\LavasoftTcpServiceOff.ini => Moved successfully.
C:\Windows\system32\LavasoftTcpServiceOff.ini => Moved successfully.
C:\Users\Gary\AppData\Roaming\LavasoftStatistics => Moved successfully.
C:\Windows\system32\LavasoftTcpService64.dll => Moved successfully.
C:\Windows\SysWOW64\LavasoftTcpService.dll => Moved successfully.

========= ipconfig /flushdns =========


Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========


========= netsh winsock reset all =========


Sucessfully reset the Winsock Catalog.
You must restart the computer in order to complete the reset.


========= End of CMD: =========


========= netsh int ipv4 reset =========

Reseting Global, OK!
Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========


========= netsh int ipv6 reset =========

Reseting Interface, OK!
Restart the computer to complete this action.


========= End of CMD: =========

EmptyTemp: => Removed 181.4 MB temporary data.


The system needed a reboot.

==== End of Fixlog ====
 
Hi Adam,
Here is the SystemLook log:

SystemLook 30.07.11 by jpshortstuff
Log created at 14:13 on 08/12/2014 by Gary
Administrator - Elevation successful

========== filefind ==========

Searching for "*Iminent*"
No files found.

Searching for "*adchoices*"
C:\Users\Gary\Documents\Desktop\AdChoices.jpg --a---- 163487 bytes [16:34 08/12/2014] [16:34 08/12/2014] 4E0BEF4A0615614BB5836D34D8E1CD48

Searching for "*adpeak*"
No files found.

========== folderfind ==========

Searching for "*Iminent*"
No folders found.

Searching for "*adchoices*"
No folders found.

Searching for "*adpeak*"
No folders found.

========== regfind ==========

Searching for "{58124A0B-DC32-4180-9BFF-E0E21AE34026}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{58124A0B-DC32-4180-9BFF-E0E21AE34026}"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{58124A0B-DC32-4180-9BFF-E0E21AE34026}"="1"

Searching for "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"="1"

Searching for "{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}"="1"

Searching for "Iminent"
No data found.

Searching for "adchoices"
No data found.

Searching for "adpeak"
No data found.

-= EOF =-
 
Hi Gary,

This is what I'd like you to do next.

GIRjHjL.png
Reg Fix
  • Press the Windows Key
    pdKOQKY.png
    + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{58124A0B-DC32-4180-9BFF-E0E21AE34026}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{58124A0B-DC32-4180-9BFF-E0E21AE34026}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{977AE9CC-AF83-45E8-9E03-E2798216E2D5}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
    "{A09AB6EB-31B5-454C-97EC-9B294D92EE2A}"=-
    Click to expand...
  • Click Format. Ensure Wordwrap is unchecked.
  • Click File, Save As and name the file regfix.reg.
  • Select All Files as the Save as type.
  • Save the file to your Desktop.
  • Locate regfix.reg
    GIRjHjL.png
    on your Desktop. Right-click the file and click Merge with the Registry.
  • Accept any prompts.
  • Reboot your computer for the changes to take effect.

U5NwUGc.png
Stop and Clear Chrome
  • Press the windows key
    Windows_Logo_key.gif
    + r on your keyboard at the same time.
  • Type chrome --incognito and click OK.
  • Click
    8QmZfAJ.png
    Customize and control Google Chrome in the top right corner.
  • In the dropdown list click Tools, followed by Clear browsing data....
  • In the Obliterate the following items from: dropdown list click the beginning of time.
  • Ensure only the following items are checked:
    • Browsing history
    • Download history
    • Cookies and other site and plug-in data
    • Cached images and files
  • Click Clear browsing data.
  • Close Chrome.
  • Launch a web browser other than Chrome (eg. Mozilla Firefox, Internet Explorer, etc).
  • Click https://www.google.com/settings/chrome/sync to launch this page.
  • If necessary, sign into your Google account.
  • Click Stop and Clear, followed by OK.
  • Return to Chrome. Click
    8QmZfAJ.png
    Customize and control Google Chrome in the top right corner.
  • Click Sign into Chrome....
  • After you've signed into Chrome, click
    8QmZfAJ.png
    Customize and control Google Chrome in the top right corner once more.
  • Click Settings.
  • Click Advanced sync settings.
  • Click Use default settings.
  • Click OK, sync everything.
  • Click https://www.google.com/settings/chrome/sync to launch this page.
  • To the right of Stop and Clear verify the Last time synced shows it was just done.
 
Hi Gary,

This is certainly a strange case.
Lets continue troubleshooting.

  • Click Start, Control Panel, and finally User Accounts.
  • Click Manage Another Account.
  • Click Create a new account.
  • Type Test as the User name and click Next.
  • Select Computer administrator and click Create Account.
  • Close the User Accounts window.
  • Reboot your computer.
  • Login as Test.
  • Check for the issue.
 
Hi Gary,

The ads are native to the sites you're visiting.
I've just visited the site from the image you posted earlier. With my AdBlocker disabled and third party cookies enabled, I also saw the AdChoices ad.

--------------------------

Please ensure you complete each step, and in the order specified.

Install SpywareBlaster to block Doubleclick
https://www.brightfort.com/spywareblaster.html
Update the programme and enable all protection.


CCleaner
  • Open CCleaner and click Options.
  • Click Settings. Ensure Run CCleaner when the computer starts is unchecked.
  • Click Monitoring. Ensure Enable system monitoring is unchecked.
  • Click Cookies. In the left column, scroll through the list and check for sites you regularly visit/recognise.
  • Click these sites followed by -> to move the site into the right column.
  • Click Cleaner. Under Internet Explorer, ensure all options excluding Saved Passwords are checked.
  • Click Applications. Under Chrome, ensure all options excluding the last three are checked.
  • Click Run Cleaner.
  • Close the programme upon completion.

Install AdBlock
https://adblockplus.org/
Close and reopen Chrome after installation.


Chrome Settings
  • Open Chrome and type chrome://settings/ in the URL bar.
  • Scroll down and click Show advanced settings....
  • Under Privacy, click Content Settings.
  • Place a checkmark next to Block third-part cookies and site data. Leave Allow local data to be set (recommended) checked.
  • Click Done.
 
YES!!!!!!!!!!!!!!!! Adam, you are tenacious and amazing! THANK YOU! THANK YOU! THANK YOU!

No wonder we couldn't get it off my machine! It wasn't on it! The solution works on both machines.

All the best,
Gary
 
HI Gary,

I'm pleased to hear. :)

The solution works on both machines.
Click to expand...
Your other machine is still infected with adware/undesirable software, so if you would like that to be looked at, please create a new topic.

--------------------

Lets update your vulnerable software to reduce the risk of infection.
This is for the machine we've been working on.

STEP 1
CXrghb6.png
Update Outdated Software
Outdated software contain security risks that must be patched. Please download and install the latest version of the programmes below.


STEP 2
EtQetiM.png
Remove Outdated Software
  • Press the Windows Key + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall one at a time.
  • Note: The programmes below may not be present. If this is the case, please skip to the next step.
    • Adobe Reader X (10.1.12)
    • Java 7 Update 71
  • Follow the prompts and reboot if necessary.

STEP 3
zANS9oB.png
Disable Java in Your Browser
Due to frequent exploits we recommend you disable Java in your browser.
For information on Java vulnerabilities, please read the following article (point #7).
  • Click the Windows Start Button and type Java Control Panel (or javacpl) in the search bar.
  • Click on the Java Control Panel. Once opened, click the Security tab.
  • Deselect the check box for Enable Java content in the browser. This will disable the Java plug-in in the browser.
  • Click Apply. When the Windows User Account Control (UAC) appears, allow permissions to make the changes.
  • Click OK in the Java Plug-in confirmation window.
  • Restart your browser(s) for changes to take effect.
  • More information can be found here and here.

STEP 4
oxliOQk.png
Security Check
  • Please download SecurityCheck and save the file to your desktop.
  • Double-click SecurityCheck.exe and follow the onscreen instructions inside the black box.
  • A log (checkup.txt) will automatically open on your desktop.
  • Copy the contents of the log and paste in your next reply.

======================================================

STEP 5
pfNZP4A.png
Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.
  • checkup.txt
  • How is your computer performing? Are there any outstanding issues?
 
Hi Adam,
For laptop #1
In step 2, I did not remove Adobe Reader X(10.1.12) because I had already updated it to Adobe Reader X1.
In step 3 I could not disable Java because I had already removed it in Step 2.

Here is checkup.txt:

Results of screen317's Security Check version 0.99.91
Windows 7 Service Pack 1 x64 (UAC is enabled)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
SpywareBlaster 5.0
Spybot - Search & Destroy
Adobe Reader XI
Google Chrome (39.0.2171.71)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
Spybot Teatimer.exe is disabled!
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 4%
````````````````````End of Log``````````````````````


Best regards,
Gary
 
Hi Adam,
For Laptop 2

Results of screen317's Security Check version 0.99.91
Windows 7 Service Pack 1 x86 (UAC is disabled!)
Internet Explorer 11
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
MVPS Hosts File
SpywareBlaster 5.0
Spybot - Search & Destroy
CCleaner
Java 8 Update 25
Java version 32-bit out of Date!
Adobe Flash Player 14.0.0.145 Flash Player out of Date!
Adobe Reader 9
Adobe Reader XI
Google Chrome 37.0.2062.124 Google Chrome out of date!
````````Process Check: objlist.exe by Laurent````````
Windows Defender MSMpEng.exe
Spybot Teatimer.exe is disabled!
Microsoft Security Client Antimalware MsMpEng.exe
Microsoft Security Client Antimalware NisSrv.exe
Microsoft Security Client Antimalware MpCmdRun.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


I got a little confused with the instructions for Laptop #1 but I'm ok now. Java is updated an disabled properly, etc.

Laptop 1 is runnin g fine, but laptop 2 is pretty slow but it's an old Del Inspiron 1501 anyway. I ran Spybot on it. We'll see if it's better and I wil report back.

Best regards,
Gary
 
Hi Gary,

The instructions in my previous post were for laptop #1.
Laptop #2 is still infected. If you wish to clean laptop #2, please create a new topic and provide the requested logs.

----------------

At this point, we should be good to close this one out.


All Clean!
Congratulations, your computer appears clean!
I no longer see signs of malware on your computer, and feel satisfied that our work here is done. The steps below will remove the tools we have used, and reset any settings changed. I have also provided a list of resources and tools that you may find useful.

STEP 1
9SN2ePL.png
ComboFix Uninstall
  • Press the Windows Key + r on your keyboard at the same time. Type the following text into the Run box:

    ComboFix /Uninstall
    Click to expand...
  • Click OK.
  • Note: It may appear as if Combofix is installing. This is not the case; the programme is uninstalling. Please do not interrupt the process.

STEP 2
AFZxnZc.jpg
DelFix
  • Please download DelFix and save the file to your Desktop.
  • Double-click DelFix.exe to run the programme.
  • Place a checkmark next to the following items:
    • Activate UAC
    • Remove disinfection tools
    • Create registry backup
    • Purge system restore
    • Reset system settings
  • Click the Run button.

-- This will remove the specialised tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

======================================================

Below I have compiled a list of resources you may find useful. The articles document information on computer security, common infection vectors and how you can stay safe on the Internet.


The following programmes come highly recommended in the security community.

  • EG85Vjt.png
    Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
  • jv4nhMJ.png
    NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
  • 3O8r9Uq.png
    Sandboxie isolates programmes of your choice, preventing files from writing to your HDD unless you approve the file.
  • DgW1XL2.png
    Secuina PSI will scan your computer for vulnerable software that is outdated, and automatically find the latest update for you.
  • j1OLIec.png
    SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
  • sHjS79L.png
    Unchecky automatically removes checkmarks for additional software in programme installers, helping you avoid adware and PUPs.
  • JEP5iWI.png
    Web of Trust (WOT) is a browser add-on designed to alert the user before interacting with a potentially malicious website.

-- Please feel free to ask if you have any questions or concerns on computer security or the programmes above.

======================================================

Please confirm you have no outstanding issues, and are happy with the state of your computer. Once I have confirmation things are in order, we can wrap things up and I will close this thread.

Thank you for using Safer Networking.

Safe Surfing,
Adam
 
Status
Not open for further replies.
Back
Top