Websteroid Windows 8.1

[Midgardwanderer]

Hallo zusammen,

durch Unachtsamkeit ist auf meinen Laptop dieser Websteroid installiert worden.
Habe einiges hier gelesen und adw sowie malewarbytes und auch OTL durchlaufen lassen.
Dannach auch jeweils die Reparaturfunktionen der 3 Programme genutzt(ich hoffe das war nicht falsch)
Jedenfalls habe ich bis auf OTL von jedem ein vorher nachher Log gemacht.
Kann mir jemand sagen ob es das schon war oder ob noch weitere Schritte nötig sind.
Mein Englisch ist ganz passabel.

Danke

[Midgardwanderer]

hier noch die Logs von OTL.
Ich fürchte die sind beide von hinterher, wenn ihr versteht was ich meine, denn nachdem ich die beiden anderen Programme nochmal hab durchlaufen lassen, war alles von OTL plötzlich weg.
Vielleicht haben wir ja auch Glück und es ist doch vorher und nachher.

[DJBone]

Hallo und Willkommen im Forum!

Ein Malware Experte ist verständigt. Es kann aber etwas dauern bis er sich hier meldet...

DJBone

PS: Du solltest deine Email verstecken um dich vor Spam zu schützen: http://forum.avast.com/index.php?topic=81777.msg680473#msg680473

[Midgardwanderer]

Alles klar,

ich werde warten und habe solange deinen Rat beherzigt.

[essexboy]

You appear to have got the vast majority of it.  How is the computer behaving ? 

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53066;https=127.0.0.1:53066
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53066;https=127.0.0.1:53066
IE - HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <-loopback>
IE - HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:53066;https=127.0.0.1:53066
IE - HKU\S-1-5-21-978444029-433764668-3799723712-1001\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=Tuguu&dpid=Tuguu&co=DE&userid=4c2ab228-55cb-f67b-3ef8-a0a749f84e03&searchtype=ds&q={searchTerms}&installDate=31/12/2013
IE - HKU\S-1-5-21-978444029-433764668-3799723712-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snapdo.com/?publisher=Tuguu&dpid=Tuguu&co=DE&userid=4c2ab228-55cb-f67b-3ef8-a0a749f84e03&searchtype=ds&q={searchTerms}&installDate=31/12/2013
IE - HKU\S-1-5-21-978444029-433764668-3799723712-1002\..\SearchScopes\{B8750C10-5225-419D-A7A9-E0D341FF436D}: "URL" = http://feed.snapdo.com/?publisher=Tuguu&dpid=Tuguu&co=DE&userid=4c2ab228-55cb-f67b-3ef8-a0a749f84e03&searchtype=ds&q={searchTerms}&installDate=31/12/2013
IE - HKU\S-1-5-21-978444029-433764668-3799723712-1002-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\..\SearchScopes\{B8750C10-5225-419D-A7A9-E0D341FF436D}: "URL" = http://feed.snapdo.com/?publisher=Tuguu&dpid=Tuguu&co=DE&userid=4c2ab228-55cb-f67b-3ef8-a0a749f84e03&searchtype=ds&q={searchTerms}&installDate=31/12/2013
[2014.04.06 19:31:27 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FileParade bundle uninstaller

:Commands
[resethosts]
[emptytemp]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[Midgardwanderer]

I will do when I come home.

The behaviour:
Every time i opend a new webpage, he wanted to bring me to a side named "friends checker". But the system did noz allowed this.
Also the advertising blocker did not worked any longer.
The laptop was slower than before.


As i understand, there still problematic stuff at the laptop, even i let worked all 3 programms and let to clean it everything?
As i can se this "FileParade bundle uninstaller" is not longer in the list of installed programms and also teh websteroid is not longer to see.
But i know, that not to see, does not mean there is nothing.

[Midgardwanderer]

Hello,

i used the fix.
Here is the log direct after the fix and the log of the quickscan.

Hope we have it now 

[essexboy]

It is looking better, but lets do a final check

• Download RogueKiller  and save it on your desktop.
   
  NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
  
  
• Quit all programs
• Start RogueKiller.exe.
  
• Wait until Prescan has finished ... 
•     Click on Scan

   
 

• Wait for the end of the scan. 
• The report has been created on the desktop. 
• Click on the Delete button.

     

• The report has been created on the desktop.

• Next click on the ShortcutsFix   
  
  
• The report has been created on the desktop.

Please attach:    All RKreport.txt text files located on your desktop.

[Midgardwanderer]

I have done what you said.  At least the programm found something.
Here are the logs.

What we have to do at next.

[essexboy]

What problems remain now ?

[Midgardwanderer]

I thought you will know, when you watch at the logs.

As far as i can say the behaviour of the laptop is quite normal.

[essexboy]

From the logs it looks good, but it is always nice to get the users opinion

In that case methinks I will send you on your merry way

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

[Midgardwanderer]

After running my system for a time, i cannot see any problems. The laptop seems to be a little bit slower than before, but this can be just in my mind.

I have to thank you a lot. THANK YOU VERY MUCH.


This programm you said i should install crypto prevent.
Do i have to run it all the time(i canot minimize it) or just from time to time or just one time?
What exactly it does?

[Asyn]

1. Do i have to run it all the time(i canot minimize it) or just from time to time or just one time?
2. What exactly it does?

1. Zitat aus den CP FAQ: How can I tell if CryptoPrevent is running? It isn’t.  Once you run CryptoPrevent and apply the protection, it doesn’t have a need to run again as Windows itself is now the one doing the protecting by following CryptoPrevent’s rules.  CryptoPrevent will only run again if you launch the program to test, check for updates, or undo/re-apply the protection.  The exception to this is that with Automatic Updates enabled, it will run once daily to check for and apply updates if necessary.  Also if using v4 with email alerts enabled, a monitoring service will be running constantly in order to email you when an application is blocked, though this service is not part of the protection itself, just the alert feature.

2. Eine detaillierte Beschreibung findest du hier: http://www.foolishit.com/vb6-projects/cryptoprevent/

LG Asyn

[Midgardwanderer]

Danke für die schnelle Hilfe.