[WezVillag]

I'm having issues with my Google browser. When I click on a news post or anything else it redirects me to a different page. When I go to a shopping site I get little pop ups by "deal peak." I'm trying the instructions to remove and I have downloaded "Erunt" and backed up my registry. The next step is dl OTM but when I try this my AVG blocks it as a virus. I'm not very computer savy and would feel better if I had someone to help me with this. I have now dl'd OTM and have ran a scan. Now just waiting on the next step.  

[Advertisements]

Hi, antiviruses will tag some of our tools as suspicious due to their nature. However, we will never ask you to download anything unsafe

OK lets see what we need to clean

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[Essexboy]

Hi, antiviruses will tag some of our tools as suspicious due to their nature. However, we will never ask you to download anything unsafe

OK lets see what we need to clean

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[WezVillag]

ok trying it now

[WezVillag]

ok here ya go

Attached Files

•  FRST.txt   30.06KB   130 downloads
•  Addition.txt   32.4KB   103 downloads

[Essexboy]

Could you let me know how the computer is behaving after these runs

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

AppInit_DLLs: C:\PROGRA~3\FASTAN~1\FASTAN~2.DLL => C:\ProgramData\Fast And Safe\FastAndSafe_x64.dll [4302848 2014-07-19] ()
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com...rchTerms}&SSPV=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com...rchTerms}&SSPV=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-07-19 20:57 - 2014-08-04 18:33 - 00000000 ____D () C:\ProgramData\64ba89ba46506d37
2014-07-19 20:57 - 2014-07-24 12:15 - 00000000 ____D () C:\ProgramData\PrioShoppEr
2014-07-19 20:17 - 2014-07-24 18:06 - 00000000 ____D () C:\ProgramData\Fast And Safe
2014-08-05 06:23 - 2014-08-04 18:33 - 00000000 ____D () C:\ProgramData\dEalpeiak
2014-08-04 18:33 - 2014-07-19 20:57 - 00000000 ____D () C:\ProgramData\64ba89ba46506d37
2014-07-24 12:15 - 2014-07-19 20:57 - 00000000 ____D () C:\ProgramData\PrioShoppEr
2014-07-24 06:04 - 2014-07-24 06:04 - 00000000 ____D () C:\Program Files (x86)\PrioShoppEr
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Scan.
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

[WezVillag]

ok here's the fixlist

[WezVillag]

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 09-08-2014 01
Ran by Weezie's at 2014-08-09 09:02:37 Run:1
Running from C:\Users\Weezie's\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
AppInit_DLLs: C:\PROGRA~3\FASTAN~1\FASTAN~2.DLL => C:\ProgramData\Fast And Safe\FastAndSafe_x64.dll [4302848 2014-07-19] ()
SearchScopes: HKCU - DefaultScope {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com....rchTerms}=
SearchScopes: HKCU - {014DB5FA-EAFB-4592-A95B-F44D3EE87FA9} URL = http://www.trovi.com....rchTerms}=
SearchScopes: HKCU - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
2014-07-19 20:57 - 2014-08-04 18:33 - 00000000 ____D () C:\ProgramData\64ba89ba46506d37
2014-07-19 20:57 - 2014-07-24 12:15 - 00000000 ____D () C:\ProgramData\PrioShoppEr
2014-07-19 20:17 - 2014-07-24 18:06 - 00000000 ____D () C:\ProgramData\Fast And Safe
2014-08-05 06:23 - 2014-08-04 18:33 - 00000000 ____D () C:\ProgramData\dEalpeiak
2014-08-04 18:33 - 2014-07-19 20:57 - 00000000 ____D () C:\ProgramData\64ba89ba46506d37
2014-07-24 12:15 - 2014-07-19 20:57 - 00000000 ____D () C:\ProgramData\PrioShoppEr
2014-07-24 06:04 - 2014-07-24 06:04 - 00000000 ____D () C:\Program Files (x86)\PrioShoppEr
CMD: bitsadmin /reset /allusers
CMD: DEL %TEMP%\*.* /F /S /Q
CMD: RD /S /Q %TEMP%
REBOOT:

*****************

"C:\PROGRA~3\FASTAN~1\FASTAN~2.DLL" => Value Data removed successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value deleted successfully.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key deleted successfully.
"HKCR\CLSID\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}" => Key not found.
"HKCU\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key deleted successfully.
"HKCR\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => Key not found.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
C:\ProgramData\64ba89ba46506d37 => Moved successfully.
C:\ProgramData\PrioShoppEr => Moved successfully.
C:\ProgramData\Fast And Safe => Moved successfully.
C:\ProgramData\dEalpeiak => Moved successfully.
"C:\ProgramData\64ba89ba46506d37" => File/Directory not found.
"C:\ProgramData\PrioShoppEr" => File/Directory not found.
C:\Program Files (x86)\PrioShoppEr => Moved successfully.

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

{2BBC5574-A344-4468-9A59-BEAE68EF20EE} canceled.
1 out of 1 jobs canceled.

========= End of CMD: =========

=========  DEL %TEMP%\*.* /F /S /Q =========

Deleted file - C:\Users\Weezie's\AppData\Local\Temp\1FB9.tmp
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\5C7D.tmp
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\7E6A.tmp
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\B799.tmp
C:\Users\Weezie's\AppData\Local\Temp\FXSAPIDebugLogFile.txt
The process cannot access the file because it is being used by another process.
C:\Users\Weezie's\AppData\Local\Temp\qtlocalpeer-Amazon-4678-1-lockfile
The process cannot access the file because it is being used by another process.
C:\Users\Weezie's\AppData\Local\Temp\qtlocalpeer-Amazon-bdab-1-lockfile
The process cannot access the file because it is being used by another process.
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\~DF542456A50A9A4E58.TMP
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\~DF8D430BBD8D0C62B5.TMP
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\~DFDAE12B4CF91D1D18.TMP
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\clear.fiClient\cabarc.exe
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\clear.fiClient\computer.ico
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\clear.fiClient\DeviceInfo.xml
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\clear.fiClient\PackageInfo.xml
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\clear.fiClient\WindowsInfo.xml
Deleted file - C:\Users\Weezie's\AppData\Local\Temp\HP\AtStatus\hpinksts8811lm.log
C:\Users\Weezie's\AppData\Local\Temp\{39CB0A02-A0B2-49C9-965C-FCDD39047234}\fpb.tmp
Access is denied.

========= End of CMD: =========

=========  RD /S /Q %TEMP% =========

C:\Users\Weezie's\AppData\Local\Temp\FXSAPIDebugLogFile.txt - The process cannot access the file because it is being used by another process.
C:\Users\Weezie's\AppData\Local\Temp\qtlocalpeer-Amazon-4678-1-lockfile - The process cannot access the file because it is being used by another process.
C:\Users\Weezie's\AppData\Local\Temp\qtlocalpeer-Amazon-bdab-1-lockfile - The process cannot access the file because it is being used by another process.
C:\Users\Weezie's\AppData\Local\Temp\{39CB0~1\fpb.tmp - Access is denied.
C:\Users\Weezie's\AppData\Local\Temp\~DF542456A50A9A4E58.TMP - Access is denied.
C:\Users\Weezie's\AppData\Local\Temp\~DF8D430BBD8D0C62B5.TMP - Access is denied.
C:\Users\Weezie's\AppData\Local\Temp\~DFDAE12B4CF91D1D18.TMP - Access is denied.

========= End of CMD: =========

 

The system needed a reboot.

==== End of Fixlog ====

[Essexboy]

That's some of the rubbish gone, lets see what AdwCleaner finds

[WezVillag]

I'm still getting the dealpeak ads

Attached Files

•  AdwCleanerS0.txt   4.85KB   168 downloads

[Essexboy]

OK lets see where it is hiding

Run FRST and in the search box type the following :

deal peak

Then press search registry


Once done a search.txt file will appear please post that

[WezVillag]

Farbar Recovery Scan Tool (x64) Version: 09-08-2014 01
Ran by Weezie's at 2014-08-09 09:35:42
Running from C:\Users\Weezie's\Desktop
Boot Mode: Normal

================== Search Registry: "deal peak" ===========

====== End Of Search ======

[WezVillag]

^{Farbar Recovery Scan Tool (x64) Version: 09-08-2014 01
Ran by Weezie's at 2014-08-09 09:40:13
Running from C:\Users\Weezie's\Desktop
Boot Mode: Normal}

^{================== Search Registry: "dealpeak®" ===========}

^{====== End Of Search ======}

 

on this one I copied the name exactly how it comes up on my browser

[Essexboy]

OK do the ads appear on a specific site ?

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• It will close all programs when run, so make sure you have saved all your work before you begin.
• Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

[WezVillag]

could it be hiding on an external hd and running on my computer? I have 2 externals connected to my computer

[Essexboy]

It is very doubtful it is on a slave hard drive

Download Shortcut cleaner from here http://www.bleepingc...ortcut-cleaner/ to your desktop
Run the programme
On completion it will generate a log please post that