[harrybeetle]

MBR.dat file attached

Attached Files

•  MBR.dat   512bytes   272 downloads

[Advertisements]

Its been nearly 24 hours since going through all the original steps and so far I havent had another security alert from Norton. 

[harrybeetle]

Its been nearly 24 hours since going through all the original steps and so far I havent had another security alert from Norton. 

[DanoNH]

Interesting, because we really haven't fixed anything yet. Is your Norton turned on?

I will have more steps for you a bit later, thanks for your patience.

[harrybeetle]

haha thats funny. Yeah Norton is enabled.

[DanoNH]

The MBR looks fine, thanks.

 

Here are our next steps:
 
First
Programs uninstall
Go to Control Panel > Programs and Features, and uninstall the following programs.  If you aren't sure how to get there, see this link.

• bestadblocker
• CutThePrice
• Search App by Ask
• Similar Pages

Second
Run a FRST Fix

• Download the attached fixlist.txt file and save it to the Desktop:  fixlist.txt   4.9KB   154 downloads
  
  (Note: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.)
  
  Notice: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
• Run FRST/FRST64 from your Desktop and press the Fix button just once and wait.
  
• If for some reason the tool needs a restart, please make sure you let the system restart normally.  After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop named Fixlog.txt. Please post the contents of that log file into your next reply.

Third
Remove Chrome Developer version and re-install Chrome
Unless you did this yourself, malware has likely changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.

• If you have bookmarks, let's save them by exporting them - Export Bookmarks
• Then I need you to go Google Sync and sign into your account
• Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
• Now we need to uninstall chrome, do this via control panel. Note: When asked about user data or settings you must remove this also so please check the box.
• Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
• Import your bookmarks back into Chrome
• Sign back in to your Chrome browser so that your bookmarks sync with your online account.

Finally
In your next reply, please copy/paste the contents of the following logs:

• FRST fixlog.txt

And tell me how the system is running.

[harrybeetle]

while uninstalling those programs, bestadblocker and cuttheprice pop ups said they were already uninstalled and click to remove from the program list. Search by ask app actually looked like a proper uninstall process happened.

But similar pages has a pop up that says.... are you sure? This will completely remove the browser add-on.In order for the uninstall to be completed your computer must restart, please click "Yes"in order to complete the uninstall process and install an alternate browser extension which will save you money while you shop online. Click "No"to only uninstall and restart your computer. Click "cancel" to abort the install process. 

Seems a little dodgy to me, so i didnt press any yet?

[harrybeetle]

oh and now norton has detected a threat and is requesting i close all programs so that it can remove it. The threat title is SAPE.Heur.7d6d

 

Should i proceed with the norton fix?

[DanoNH]

Agreed, you don't want that "alternate browser extension which will save you money while you shop online".  Totally agree that "No to only uninstall and restart your computer." is the one you want.  Completely dodgy I concur.

 

You can proceed with the Norton fix if you like, but you may need to disable it to continue with the FRST and later steps.  We will get the baddies either way...

 

 

[harrybeetle]

how long should the FRST fix process take? Its been running for hours.

[DanoNH]

It should normally be a matter of minutes at most.  Norton is disabled, correct?

[harrybeetle]

yes I disabled it prior to starting the fix

[harrybeetle]

It was still running but the fixlog file has been created.

 

Fix result of Farbar Recovery Scan Tool (x64) Version:02-08-2015
Ran by Pearmanman (2015-08-02 14:35:09) Run:1
Running from C:\Users\Pearmanman\Desktop
Loaded Profiles: UpdatusUser & Pearmanman (Available Profiles: UpdatusUser & Pearmanman)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
(APN LLC.) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe
(APN) C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe
HKLM-x32\...\Run: [ApnTBMon] => C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe [1768848 2015-06-18] (APN)
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartse...4-SSHD_W380J62K
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = http://securityrespo...er/fix_homepage
HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.mystartse...q={searchTerms}
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartse...4-SSHD_W380J62K
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.mystartse...q={searchTerms}
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mystartse...4-SSHD_W380J62K
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mystartse...4-SSHD_W380J62K
URLSearchHook: [S-1-5-21-805963508-1841621302-2555607465-1001] ATTENTION ==> Default URLSearchHook is missing
SearchScopes: HKLM -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartse...q={searchTerms}
SearchScopes: HKLM -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartse...q={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...rd={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL =
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...rd={searchTerms}
SearchScopes: HKU\S-1-5-21-805963508-1841621302-2555607465-1002 -> {33BB0A4E-99AF-4226-BDF6-49120163DE86} URL = http://www.mystartse...q={searchTerms}
SearchScopes: HKU\S-1-5-21-805963508-1841621302-2555607465-1002 -> {4BE785CB-17C0-4573-A2ED-59D43959AA6C} URL = http://www.search.as...rms}&psv=&pt=tb
SearchScopes: HKU\S-1-5-21-805963508-1841621302-2555607465-1002 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...rd={searchTerms}
BHO: Search App by Ask -> {5350432D-5350-006A-76A7-7A786E7484D7} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SPC-SP\Passport_x64.dll [2015-06-18] (APN LLC.)
BHO: No Name -> {90785B9A-A367-4C7C-8D40-93C920267485} ->  No File
BHO: No Name -> {D2065F51-1F54-481F-9DC4-94BAF08A9D1E} ->  No File
BHO-x32: Search App by Ask -> {5350432D-5350-006A-76A7-7A786E7484D7} -> C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SPC-SP\Passport.dll [2015-06-18] (APN LLC.)
Toolbar: HKLM - Search App by Ask - {5350432D-5350-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SPC-SP\Passport_x64.dll [2015-06-18] (APN LLC.)
Toolbar: HKLM-x32 - Search App by Ask - {5350432D-5350-006A-76A7-7A786E7484D7} - C:\Program Files (x86)\AskPartnerNetwork\Toolbar\SPC-SP\Passport.dll [2015-06-18] (APN LLC.)
R2 APNMCP; C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe [173968 2015-06-18] (APN LLC.)
S2 gupdate; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc [X]
S3 gupdatem; "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc [X]
U3 McAPExe; No ImagePath
U3 McMPFSvc; No ImagePath
U3 McNaiAnn; No ImagePath
U3 mcpltsvc; No ImagePath
U3 McProxy; No ImagePath
U3 mfecore; No ImagePath
U3 MSK80Service; No ImagePath
2015-07-22 20:07 - 2015-07-22 20:07 - 00000000 ____D C:\Program Files (x86)\ Similar Pages
2015-07-22 20:06 - 2015-07-22 20:07 - 00000000 ____D C:\ProgramData\6295219319489315088
2015-07-22 20:06 - 2015-07-22 20:06 - 00000000 ____D C:\ProgramData\kpgnkpniddknlcgdfpcfgjinkneoadbm
2015-07-22 20:06 - 2015-07-22 20:06 - 00000000 ____D C:\Program Files (x86)\CutoTHePPricce
2015-07-09 20:10 - 2015-07-09 20:10 - 00000000 ____D C:\Users\Pearmanman\AppData\Roaming\TuneUp Software
2015-07-09 20:10 - 2015-07-09 20:10 - 00000000 ____D C:\Users\Pearmanman\AppData\Local\TuneUp Software
2015-07-09 20:09 - 2015-07-09 20:11 - 00000000 ____D C:\ProgramData\TuneUp Software
2015-07-09 20:09 - 2015-07-09 20:09 - 00000000 __SHD C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C}
2015-07-18 22:20 - 2015-05-02 09:33 - 00410739 _____ C:\windows\system32\ApnDatabase.xml
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
Hosts:
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state ON
CMD: ipconfig /flushdns
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************

Restore point was successfully created.
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\apnmcp.exe => No running process found
C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ApnTBMon => value not found.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Search Page => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
HKLM\Software\\Microsoft\Internet Explorer\Main\\Default_Search_URL => value restored successfully
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\Software\Microsoft\Internet Explorer\Main\\Default_Page_URL => value restored successfully
Could not restore Default URLSearchHook.
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => key removed successfully
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
"HKU\S-1-5-21-805963508-1841621302-2555607465-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33BB0A4E-99AF-4226-BDF6-49120163DE86}" => key removed successfully
HKCR\CLSID\{33BB0A4E-99AF-4226-BDF6-49120163DE86} => key not found.
"HKU\S-1-5-21-805963508-1841621302-2555607465-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{4BE785CB-17C0-4573-A2ED-59D43959AA6C}" => key removed successfully
HKCR\CLSID\{4BE785CB-17C0-4573-A2ED-59D43959AA6C} => key not found.
"HKU\S-1-5-21-805963508-1841621302-2555607465-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
HKCR\CLSID\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90785B9A-A367-4C7C-8D40-93C920267485}" => key removed successfully
HKCR\CLSID\{90785B9A-A367-4C7C-8D40-93C920267485} => key not found.
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2065F51-1F54-481F-9DC4-94BAF08A9D1E}" => key removed successfully
HKCR\CLSID\{D2065F51-1F54-481F-9DC4-94BAF08A9D1E} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
HKCR\Wow6432Node\CLSID\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{5350432D-5350-006A-76A7-7A786E7484D7} => value not found.
HKCR\CLSID\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{5350432D-5350-006A-76A7-7A786E7484D7} => value not found.
HKCR\Wow6432Node\CLSID\{5350432D-5350-006A-76A7-7A786E7484D7} => key not found.
APNMCP => service not found.
gupdate => service removed successfully
gupdatem => service removed successfully
McAPExe => service removed successfully
McMPFSvc => service removed successfully
McNaiAnn => service removed successfully
mcpltsvc => service removed successfully
McProxy => service removed successfully
mfecore => service removed successfully
MSK80Service => service removed successfully
C:\Program Files (x86)\ Similar Pages => moved successfully.
C:\ProgramData\6295219319489315088 => moved successfully.
C:\ProgramData\kpgnkpniddknlcgdfpcfgjinkneoadbm => moved successfully.
C:\Program Files (x86)\CutoTHePPricce => moved successfully.
C:\Users\Pearmanman\AppData\Roaming\TuneUp Software => moved successfully.
C:\Users\Pearmanman\AppData\Local\TuneUp Software => moved successfully.
C:\ProgramData\TuneUp Software => moved successfully.
C:\ProgramData\{FE8D473A-6F06-4F99-B5F4-BED72B2A038C} => moved successfully.
C:\windows\system32\ApnDatabase.xml => moved successfully.

========= reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

ERROR: The system was unable to find the specified registry key or value.

========= End of Reg: =========

========= reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f =========

The operation completed successfully.

 

========= End of Reg: =========

========= RemoveProxy: =========

HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-805963508-1841621302-2555607465-1002\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully

========= End of RemoveProxy: =========

C:\Windows\System32\Drivers\etc\hosts => moved successfully.
Hosts restored successfully.

=========  netsh advfirewall reset =========

Ok.

========= End of CMD: =========

=========  netsh advfirewall set allprofiles state ON =========

Ok.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

=========  bitsadmin /reset /allusers =========

BITSADMIN version 3.0 [ 7.7.9600 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

[harrybeetle]

Google Chrome wont open so I cant do the third step

[harrybeetle]

its working again.

[DanoNH]

OK, did FRST create any fixlog.txt file on the Desktop?  You can force close it if needed.  If there's a log, please post the contents back here.

 

Let's see if we can get it to run in Safe Mode.  We'll first make a System Restore backup, then we will need to configure your computer to boot up in Safe Mode, and run the FRST fix. 

 

We'll reverse the Safe Mode boot-up later.

 

First

Create a Manual System Restore Point for Windows 8.1

• On the Start Screen, click on the Magnifying Glass icon in the upper right
• Type system restore in the search box
• In the list that appears, click on Create a restore point
• In the window that opens, click on the Create... button
• Type a meaningful name and press Enter or click the Create button

 

Second

Getting To Safe Mode From Within Windows 8

Press the Win+R key combination and type msconfig in the run box and hit Enter.


Switch over to the boot tab, and under Boot options, click on the Safe Boot check box.

*** Choose the Network Radio Button

 

The Active Directory option pertains to restoring a server that is a Domain Controller for your network. Once you have chosen your option click the ok button and restart your machine.


You PC will be booted into Safe Mode automatically.

 

Third

Run a FRST Fix

• Download the attached fixlist.txt file and save it to the Desktop:  fixlist.txt   4.9KB   211 downloads
  
  (Note: It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.)
  
  Notice: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
   
• Run FRST/FRST64 from your Desktop and press the Fix button just once and wait.
  
   
• If for some reason the tool needs a restart, please make sure you let the system restart normally.  After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop named Fixlog.txt. Please post the contents of that log file into your next reply.

 

Finally

Please post the contents of the FRST fixlist.txt in your next reply.