MySafeSavings :(

[jojo.k]

# AdwCleaner v5.200 - Logfile created 26/06/2016 at 19:31:26
# Updated 14/06/2016 by ToolsLib
# Database : 2016-06-26.1 [Server]
# Operating system : Windows 10 Home (X64)
# Username : oldman - EUSTACE
# Running from : C:\Users\oldman\Desktop\AdwCleaner.exe
# Option : Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****

[-] Folder Deleted : C:\Program Files (x86)\PCAPDownloader
[-] Folder Deleted : C:\Users\oldman\AppData\Local\YSearchUtil
[-] Folder Deleted : C:\extensions

***** [ Files ] *****


***** [ DLLs ] *****


***** [ WMI ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKCU\Software\Google\Chrome\Extensions\fcfenmboojpjinhpgggodefccipikbpd
[-] Key Deleted : HKCU\Software\distromatic
[-] Key Deleted : HKCU\Software\InSTab
[-] Key Deleted : HKCU\Software\ACPTab
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
[-] Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{AFBCB7E0-F91A-4951-9F31-58FEE57A25C4}
[-] Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}

***** [ Web browsers ] *****

[-] [C:\Users\oldman\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\oldman\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\oldman\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask

*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C1].txt - [1763 bytes] - [26/06/2016 19:31:26]
C:\AdwCleaner\AdwCleaner[S2].txt - [2294 bytes] - [26/06/2016 19:26:45]

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1909 bytes] ##########

[jojo.k]

good deal, we're moving forward.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.6 (04.25.2016)
Operating System: Windows 10 Home x64
Ran by oldman (Administrator) on Sun 06/26/2016 at 19:46:10.32
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\WINDOWS\wininit.ini (File)



Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{D4851797-432A-43B3-913A-341A8F5ED069} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{D4851797-432A-43B3-913A-341A8F5ED069} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 06/26/2016 at 19:51:57.49
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[Juliet]

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:
To do this highlight the contents of the box and right click on it and select copy.
Paste this into the open notepad. save it to the Desktop as fixlist.txt
NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

start
CreateRestorePoint:
CloseProcesses:
R2 smass;
C:\ProgramData\Microsoft\Windows\WindowsAccManager\smass.exe
CHR NewTab: Default -> "chrome-extension://ejbdobdndcjhdmljipngpeoekdinlohe/homePageRedirect.html"
EmptyTemp:
Hosts:
End

Open FRST/FRST64 and press the > Fix < button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

*******************

Please download the Malwarebytes Anti-Malware setup file to your Desktop.

OR from this location Malwarebytes' Anti-Malware

• Open mbam-setup.x.x.xxxx.exe (x represents the version #) and follow the prompts to install the programme.
  
• On the Dashboard click on Update Now
  
• Go to the Setting Tab
  
• Under Setting go to Detection and Protection
  
• Under PUP and PUM make sure both are set to show Treat Detections as Malware
  
• Go to Advanced setting and make sure Automatically Quarantine Detected Items is checked
  
• Then on the Dashboard click on Scan
  
• Make sure to select THREAT SCAN
  
• Then click on Scan
  
• Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards.
• If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
• Upon completion of the scan (or after the reboot), click the History tab.
• Click Application Logs, followed by the first Scan Log.
• Click Export,followed by Copy to Clipboard. Paste the log in your next reply.
  

~~~~~~~~~~~~~~~~~~~~`

What we can do now is run an online scan with Eset, a good trusted scanner, reliable and thorough.
The settings I suggest will show us items located in quarantine folders so don't be alarmed with this, also, in case of a false positive I ask that you not allow it to delete what it does find.
This scanner can take quite a bit of time to run, depending of course how full your computer is.



ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Go here and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

• You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
• Double-click on esetonlinescanner_enu.exe to install and a new window will open.
  Follow the prompts.
• Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
• At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
• When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
• Tick the option Enable detection of potentially unwanted applications
• Click on Advanced settings
• Make sure that the option Clean threats automatically is unticked.
• Ensure these options are ticked:
• Enable detection of potentially unsafe applications
• Enable detection of suspicious applications
• Scan archives
• Enable Anti-Stealth technology
• Click Scan
• Wait for the scan to finish.
• When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Please copy/paste the contents of the log in your next reply.
• To close ESET Online Scanner, select Do not clean then Finish

***************

Please post these 3 logs when finished.

Also please update me on how the computer is now..

Having a bit of thunder storms here, might be in the morning before I can check back.

[jojo.k]

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-06-2016 02
Ran by oldman (2016-06-26 21:02:53) Run:2
Running from C:\Users\oldman\Desktop
Loaded Profiles: oldman (Available Profiles: oldman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start
CreateRestorePoint:
CloseProcesses:
R2 smass;
C:\ProgramData\Microsoft\Windows\WindowsAccManager\smass.exe
CHR NewTab: Default -> "chrome-extension://ejbdobdndcjhdmljipngpeoekdinlohe/homePageRedirect.html"
EmptyTemp:
Hosts:
End
*****************

Restore point was successfully created.
Processes closed successfully.
smass => Unable to stop service.
smass => service removed successfully
Could not move "C:\ProgramData\Microsoft\Windows\WindowsAccManager\smass.exe" => Scheduled to move on reboot.
Chrome NewTab => removed successfully
C:\Windows\System32\Drivers\etc\hosts => moved successfully
Hosts restored successfully.

=========== EmptyTemp: ==========

BITS transfer queue => 0 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 10935030 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 11184682 B
Edge => 0 B
Chrome => 0 B
Firefox => 19865402 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 5181890 B
NetworkService => 0 B
oldman => 7715610 B

RecycleBin => 3703806 B
EmptyTemp: => 55.9 MB temporary data Removed.

================================

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2016-06-26 21:05:00)

C:\ProgramData\Microsoft\Windows\WindowsAccManager\smass.exe => Is moved successfully

==== End of Fixlog 21:05:01 ====

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 6/26/2016
Scan Time: 9:17 PM
Logfile: Malbytes scan export.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.06.26.05
Rootkit Database: v2016.05.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: oldman

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343812
Time Elapsed: 44 min, 15 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
PUP.Optional.MySafeSavings, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MySafeSavings, Quarantined, [6c216998c2d80d29bcbb40b016ed04fc],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}, Quarantined, [96f7e918dac00333d0a0dae8dd267090],
PUP.Optional.MySafeSavings, C:\Program Files (x86)\SafeSavings, Quarantined, [2c61649d17832a0c14dff9cda85a9868],

Files: 5
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}\ridi, Quarantined, [96f7e918dac00333d0a0dae8dd267090],
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}\info.dat, Quarantined, [96f7e918dac00333d0a0dae8dd267090],
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}\install.log, Quarantined, [96f7e918dac00333d0a0dae8dd267090],
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}\Sqlite3.dll, Quarantined, [96f7e918dac00333d0a0dae8dd267090],
PUP.Optional.WinYahoo, C:\Users\oldman\AppData\Local\{2EF018AC-0A58-7414-67C0-51FC43A8AD64}\uninst.dat, Quarantined, [96f7e918dac00333d0a0dae8dd267090],

Physical Sectors: 0
(No malicious items detected)


(end)

I will run the last scan this evening and post the results in the morning, so far the computer and browser are running much better. Hopefully the last scan will wrap up this project, I want to thank you very much for your time and patience while we work on this, I would be lost without the help.

[Juliet]

It's good news for the computer and your welcome.

I've recently seen where people are having trouble running Eset

Temporarily disable your Anti-Virus software. For instructions, please refer to the following link.

If you are running the ESET Online Scanner from a downloaded .exe, visit the following web page to download the latest version:
http://www.eset.com/us/online-scanner/


Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

Go here http://www.eset.com/us/online-scanner/ and click 'SCAN NOW' under 'ESET Online Scanner' to check for remnants.

You will be prompted to download and install esetonlinescanner_enu.exe. Click on the link and save the file to a convenient location.
Double-click on esetonlinescanner_enu.exe to install and a new window will open.
Follow the prompts.
Turn off the real-time scanner of any existing antivirus program before performing the online scan. Here's how
At the bottom of the Terms of use window, tick the option Download latest version of ESET Online Scanner then click Accept
When/if prompted by UAC, 'Do you want to allow this app to make changes to your PC?', please choose Yes
Tick the option Enable detection of potentially unwanted applications
Click on Advanced settings
Make sure that the option Clean threats automatically is unticked.
Ensure these options are ticked:
Enable detection of potentially unsafe applications
Enable detection of suspicious applications
Scan archives
Enable Anti-Stealth technology
Click Scan
Wait for the scan to finish.
When the scan is done, if it shows a screen that says Threats found, click Save to text file... then name it and save it to your desktop.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Please copy/paste the contents of the log in your next reply.
To close ESET Online Scanner, select Do not clean then Finish

[jojo.k]

Hi again, I was able to run the scan and came up with 0 threats, however When I checked the box "latest scanner" it failed to load that and gave a prompt that read unable to download latest version check internet connection or proxy. I couldn't find a way to get the latest scanner version. I will try the link you gave in your last post and see what happens. So far the machine is running great and the redirect issue is gone so I'm very happy, I'll let the new version run tonight and post back tomorrow with the results. I might add that I have run the tools on the other computer that I mentioned but will wait for this project to be completed before starting a new thread and posting the results of that. As I watched the noticeable actions the infection performed it made me wonder just what all was going on in the background.
Thanks again.

[Juliet]

I was able to run the scan and came up with 0 threats,

good deal

So far the machine is running great and the redirect issue is gone so I'm very happy

Music to my ears!

I might add that I have run the tools on the other computer that I mentioned but will wait for this project to be completed before starting a new thread and posting the results of that. As I watched the noticeable actions the infection performed it made me wonder just what all was going on in the background.

When we remove the tools and quarantine folders on this one, you can post logs for the next here.

It's hard to get a grasp on all items running in the background at times. Sometimes keeping a limited amount of startup items enabled at boot up helps and monitoring the computer while in use, completely closing or disabling tools/programs when not being used along with layered protection, at this time is your best bet.

[jojo.k]

I am still coming up with 0 threats so this is good, please let me know the removal process for the tools on this computer and we can wrap this up. Once again I can't thank you enough for the help, I would never have gotten it straightened out with out your help.
It may take a couple of days to get back about the other machine but as soon as my wife gives me a chance at it I'll post the relevant logs. Again thank you!

[Juliet]

I am still coming up with 0 threats so this is good, please let me know the removal process for the tools on this computer and we can wrap this up. Once again I can't thank you enough for the help, I would never have gotten it straightened out with out your help.
It may take a couple of days to get back about the other machine but as soon as my wife gives me a chance at it I'll post the relevant logs. Again thank you!

Your welcome!

I'll leave this topic open so you can come back and post FRST logs from the other computer.

~~~~~~~~~~~~~

DelFix

• Please download DelFix or from Here and save the file to your Desktop.
• Double-click DelFix.exe to run the programme.
• Place a checkmark next to the following items:
• Activate UAC
• Remove disinfection tools
• Click the Run button.
• -- This will remove the specialized tools we used to disinfect your system. Any leftover logs, files, folders or tools remaining on your Desktop which were not removed can be deleted manually (right-click the file + delete).

~~~~~~~~~~~~~~~~~

• Answers to common security questions - Best Practices by quietman7, MVP
• How Malware Spreads - How did I get infected? by quietman7, MVP
• Simple and easy ways to keep your computer safe and secure on the Internet by Lawrence Abrams, MVP
• How to Prevent Malware by miekiemoes, MVP
• How to backup and restore your data using Cobian Backup by YourHighness
• Slow Computer/browser? It May Not Be Malwareby quietman7, MVP

• AdBlock is a browser add-on that blocks annoying banners, pop-ups and video ads.
• CryptoPrevent places policy restrictions on loading points for ransomware (eg. CryptoWall), helping prevent the execution of malware.
• Malwarebytes Anti-Exploit (MBAE) is designed to prevent zero-day malware from exploiting vulnerable software.
• Malwarebytes Anti-Malware Premium (MBAM) works in real-time along side your Anti-Virus to prevent malware execution.
• NoScript is a Firefox add-on that blocks the actions of malicious scripts by using whitelisting and other technology.
• Sandboxie isolates programmes of your choice, preventing files from being written to your HDD unless approved by you.
• Secunia PSI will scan your computer for vulnerable softwarethat is outdated, and automatically find the latest update for you.
• SpywareBlaster is a form of passive protection, designed to block the actions of malicious websites and tracking cookies.
• Unchecky automatically removes checkmarks for bunlded software in programme installers; helping you avoid adware and PUPs.
• Web of Trust (WOT) is a browser add-on designed to alert you before interacting with a potentially malicious website.
  

****

Want to help others? Join the ClassRoom and learn how.

[Juliet]

still need help with the second computer?