Adware issue in Win8.1-Lenovo

winchester73 · March 18, 2014, 08:50:56 PM

Quote from: PastyWhiteGuy on March 18, 2014, 06:46:18 PM
... I've restarted each time the various checkers have instructed to do so.

Just to clarify, did you reboot the computer immediately after the first MBAM run when all that junk was detected?

PastyWhiteGuy · March 19, 2014, 05:14:18 AM

I don't have video, sorry, but if the program TOLD me to restart, I restarted. If it did not specify, I can't tell you for certain. If it was one of the things that I got instructions for here, and I was told to restart, then I restarted. Not sure that's helpful, but it's all I have.

winchester73 · March 19, 2014, 12:22:51 PM

Let's try the simple thing first ... update MBAM and run it again. If it finds anything, and there are any items with "delete on reboot" noted, please reboot the computer. Also, post that log please.

PastyWhiteGuy · March 19, 2014, 05:39:26 PM

I ran a full scan, just on the off chance that something was more deeply hidden; I was not sure that the quick scan actually looked at the small D:\ drive (proprietary stuff). Nothing found. :( Waiting for the next step.

Malwarebytes Anti-Malware (Trial) 1.75.0.1300
www.malwarebytes.org

Database version: v2014.03.17.01

Windows 8 x64 NTFS
Internet Explorer 11.0.9600.16521
DeanZF1 :: DEANZF [administrator]

Protection: Enabled

3/19/2014 11:53:06 AM
mbam-log-2014-03-19 (11-53-06).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 374030
Time elapsed: 38 minute(s), 11 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

winchester73 · March 19, 2014, 06:54:02 PM

Corrine and I have been working on a few things in the back room behind the curtains ... :cool:

In the meanwhile, let's get a second opinion from the ESET online scanner:

Please go here to run an on-line scan from ESET.

Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.

It could take a while for this scan to complete, so pour a cup of coffee and take a break :D

PastyWhiteGuy · March 19, 2014, 08:27:17 PM

The log for ESET does not tell the entire story. Pretty puny log for a 53 minute scan. It was a TWO cup and 6 Sudoku puzzle (on paper, of course) scan.

I did run it from IE. FF and Skype were both open but unused. Does that matter? Instructions did not say

It found BrowseFox.C in my AppData. This is the entire log, 112 bytes. It looks more like an install log than a results log, at least to me. I searched the drive for a different "log.txt" and found none.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

That's all there is. I feel like LoonyTunes! :tongue: yabadeeyabadeeyabadee that's all folks.

I did not delete anything. It was not an option. Not the found file or the scanning software.

Corrine · March 19, 2014, 08:41:22 PM

Since the Pokki is a Conduit toolbar, I've asked my contact if its removal will affect the Lenovo utility (LSC). In the meantime, you have a few options.

1. You could reset FF to default: Reset Firefox preferences to troubleshoot and fix problems | Firefox Help
2. Try FF in Safe Mode to see if you still get the PlurPush then.
3. Install Extension List Dumper :: Add-ons for Firefox and select a Text file output, posting the results here for us to look at.

winchester73 · March 19, 2014, 08:52:13 PM

(note to self) BrowseFox.A was in the original MBAM log

Corrine · March 19, 2014, 10:04:08 PM

Quote from: winchester73 on March 19, 2014, 08:52:13 PM
(note to self) BrowseFox.A was in the original MBAM log

So was PlurPush and neither showed in the RSIT log, although it is difficult to say how up-to-date RSIT is.

Dean, I heard back from my contact who, in turn, asked at Lenovo and was told that LSC is pretty much a stand alone. Thus, it will not be impaired by removal of the toolbar. In fact, my contact removed it from a Lenovo 2014 TP Carbon X1 a couple of weeks ago with no issues.

So, for the next step, please run AdwCleaner and JRT again but this time, please let AdwCleaner remove what it finds.

Double-click AdwCleaner.exe to run the tool again.

Click the Scan button.
AdwCleaner will begin to scan your computer like it did before.
Note: Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
After the scan has finished,
This time click on the Clean button.
Press OK when asked to close all programs and follow the onscreen prompts.
Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
Copy and paste the contents of that logfile in your next reply.
A copy of that logfile will also be saved in the C:\AdwCleaner folder.

Then please run JRT once again:

Close all open programs and internet browsers.
Run the tool by double-clicking it. Note: Windows Vista, Windows 7/8 users right-click and select Run As Administrator.
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Post the contents of JRT.txt into your next message.

Let us know if we need to change your username to LoonyTunes or if the problem has been solved. :D

winchester73 · March 19, 2014, 10:24:47 PM

QuoteIn fact, my contact removed it from a Lenovo 2014 TP Carbon X1 a couple of weeks ago with no issues.

The very machine I have coveted for some time :smiley:

PastyWhiteGuy · March 20, 2014, 07:06:56 AM

Quote from: Corrine on March 19, 2014, 10:04:08 PM
Let us know if we need to change your username to LoonyTunes or if the problem has been solved. :D

It may come to that, but I will need a Porky Pig smilie.

Logs for AdwCleanr, then JRT:

# AdwCleaner v3.022 - Report created 20/03/2014 at 01:46:44
# Updated 13/03/2014 by Xplode
# Operating System : Windows 8.1 (64 bits)
# Username : DeanZF1 - DEANZF
# Running from : C:\Users\DeanZF1\Desktop\adwcleaner.exe
# Option : Clean

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\Users\DeanZF1\AppData\Local\Pokki
File Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Search.lnk

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\AllFileSystemObjects\shell\pokki
Key Deleted : HKCU\Software\Classes\Directory\shell\pokki
Key Deleted : HKCU\Software\Classes\Drive\shell\pokki
Key Deleted : HKCU\Software\Classes\lnkfile\shell\pokki
Key Deleted : HKCU\Software\Classes\pokki
Value Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Run [Pokki]
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{4AA46D49-459F-4358-B4D1-169048547C23}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{A75BE48D-BF58-4A8B-B96C-F9A09DFB9844}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}
Key Deleted : HKCU\Software\Pokki
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Pokki

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.16518

-\\ Mozilla Firefox v27.0.1 (en-US)

[ File : C:\Users\DeanZF1\AppData\Roaming\Mozilla\Firefox\Profiles\4tg6asne.default\prefs.js ]

Line Deleted : user_pref("extensions.aniweather.timeShifted", 468982);

*************************

AdwCleaner[R0].txt - [1711 octets] - [18/03/2014 02:29:08]
AdwCleaner[R1].txt - [1771 octets] - [18/03/2014 02:36:36]
AdwCleaner[R2].txt - [1831 octets] - [20/03/2014 01:45:42]
AdwCleaner[S0].txt - [1731 octets] - [20/03/2014 01:46:44]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1791 octets] ##########

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.2 (02.20.2014:1)
OS: Windows 8.1 x64
Ran by DeanZF1 on Thu 03/20/2014 at 1:53:09.68
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ FireFox

Successfully deleted the following from C:\Users\DeanZF1\AppData\Roaming\mozilla\firefox\profiles\4tg6asne.default\prefs.js

user_pref("extensions.tacache.cache", "[{\"title\":\"Modify message\",\"text\":\"I don't have video, sorry, but if the program TOLD me to restart, I restarted. If it did not s

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 03/20/2014 at 2:00:58.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

winchester73 · March 20, 2014, 12:18:50 PM

How are things now?

You likely saw that Firefox has been updated to v28.

PastyWhiteGuy · March 20, 2014, 06:15:18 PM

Well, I honestly have not had any time to surf for the last few days. Time has been consumed with scans!

I went to check my current version of FF, saw that it was 27.0.1, and without my asking, it updated to 28. Maybe it had already downloaded and was ready to update and I missed it.

I'll play a little before I go to work and see what I can discover. So far, PlurPush has not reared its ugly head.

Separate question but related: Right now, the only AV I'm running is the sample that came with the machine, Macafee. I've never been a fan. I've previously paid the buck for Symantec/Norton AV and Norton Utilities, but my last experience with them was not good. What are your recommendations for solid substantive AV protection?

TIA.

MikeW · March 20, 2014, 07:08:49 PM

I was a long time fan of Symantec. However, when I changed to win7 I went with MS firewall, MSE and Malwarebytes Pro and have been very happy and infection free.

PastyWhiteGuy · March 20, 2014, 07:31:15 PM

Quote from: MikeW on March 20, 2014, 07:08:49 PM
very happy and infection free.

Well, that's certainly where I want to be. It's painfully obvious that Macafee can't do that. I appreciate the advice, Mike.