Scareware, Popups and Tool Bar Takeover

[thewebguy]

OK...for the admin account here is all the logs again

[thewebguy]

mo' logs

[thewebguy]

and last of admin account

[essexboy]

OK run this from the admin account and then once done let me know what problems remain..  As an aside do you use Sendori ?  If not I would recommend uninstalling it

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
O2 - BHO: (Toolbar BHO) - {06e3475c-5521-4de8-bb12-50720f21631c} - C:\PROGRA~2\RECIPE~2\bar\1.bin\2jbar.dll File not found
O2 - BHO: (Toolbar BHO) - {0709f2cc-d1e6-4b43-9efc-1c0701cb173d} - C:\Program Files (x86)\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O2 - BHO: (Toolbar BHO) - {1e91a655-bb4b-4693-a05e-2edebc4c9d89} - C:\PROGRA~2\MAPSGA~2\bar\1.bin\39bar.dll File not found
O2 - BHO: (Qwiklinx) - {3E7C8B5A-96AB-438F-BF9B-782400655440} - C:\Users\gwen\AppData\Roaming\Qwiklinx\Qwiklinx.dll File not found
O2 - BHO: (ShopAtHome.com Cash Back Helper) - {66516A07-F617-488A-90CF-4E690CFB3C5F} - C:\Users\gwen\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (ShopAtHome.com)
O2 - BHO: (Search Assistant BHO) - {71c1d63a-c944-428a-a5bd-ba513190e5d2} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39SrcAs.dll File not found
O2 - BHO: (no name) - {7736C7FA-512D-11E2-B871-DEC36088709B} - No CLSID value found.
O2 - BHO: (Toolbar BHO) - {7c8f8fe5-9785-4f74-bcf8-895ef9752d97} - C:\PROGRA~2\GAMING~2\bar\2.bin\gtbar.dll File not found
O2 - BHO: (Shop to Win) - {A0D2864A-05FA-91F4-A5CC-DEF70D52F5AF} - C:\Program Files (x86)\Shop to Win 28\Shop to Win 28.dll (Shop To Win, LLC)
O2 - BHO: (Lyrics Fan) - {A8720491-9558-4C0D-9E35-30EED15DFB2B} - C:\Program Files (x86)\LyricsFan\lrcfan.dll (FAN Software)
O2 - BHO: (Toolbar BHO) - {ab56dfde-0c14-45b3-9df6-7b0eba617870} - C:\PROGRA~2\TOTALR~2\bar\1.bin\14bar.dll File not found
O2 - BHO: (Search Assistant BHO) - {ab5d199e-9659-47a2-930b-fc3b69061353} - C:\Program Files (x86)\GamingWonderland\bar\2.bin\gtSrcAs.dll File not found
O2 - BHO: (ArcadeCandy Games) - {AB6BD08C-DB6B-4F02-8A22-4BD343E990FF} - C:\Users\Cliff\AppData\Local\ArcadeCandy\candyEX.dll (ArcadeCandy LLC)
O2 - BHO: (Search Assistant BHO) - {b7acdf9c-c4f9-4d5d-998e-b147866b4d4c} - C:\Program Files (x86)\RecipeHub_2j\bar\1.bin\2jSrcAs.dll (MindSpark)
O2 - BHO: (Norton Family BHO) - {B8E07826-0971-4f16-B133-047B88034E89} - C:\Program Files (x86)\Norton Family\Engine\2.6.0.61\coieplg.dll (Symantec Corporation)
O2 - BHO: (Coupon Savings) - {C3F62D94-EEBB-11E1-B88F-CBBD4CC15727} - C:\Program Files (x86)\Coupon Savings\toolbar.dll ()
O2 - BHO: (Toolbar - Big Fish Games) - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\bfgbartb\BfgBarDx.dll ()
O2 - BHO: (no name) - {df22384f-cf68-4d19-969f-10423715528b} - No CLSID value found.
O2 - BHO: (GetSavin 5.0) - {FCD275B4-BE65-4C74-83F9-47EE13DF963D} - C:\Users\gwen\AppData\Local\getsavin\ie\getsavin_1367960342.dll File not found
O3 - HKLM\..\Toolbar: (no name) - {04628064-BCF8-488F-8139-AF1F44E3573C} - No CLSID value found.
O3 - HKLM\..\Toolbar: (PasswordBox) - {25E2E5C9-C43C-4EE8-B23E-4383915F2BCE} - C:\Program Files (x86)\PasswordBox\Application\pbbtn.dll (PasswordBox, Inc.)
O3 - HKLM\..\Toolbar: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Users\gwen\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (ShopAtHome.com)
O3 - HKLM\..\Toolbar: (MapsGalaxy) - {364ea597-e728-4ce4-bb4a-ed846ef47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll File not found
O3 - HKLM\..\Toolbar: (VideoDownloadConverter) - {48586425-6bb7-4f51-8dc6-38c88e3ebb58} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbar.dll File not found
O3 - HKLM\..\Toolbar: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files (x86)\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKLM\..\Toolbar: (TotalRecipeSearch) - {a0154e07-2b48-475c-a82a-80efd84ea33e} - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (Toolbar - Big Fish Games) - {C7C9FC25-88B0-4682-9C9F-2608E9117647} - C:\Program Files (x86)\bfgbartb\BfgBarDx.dll ()
O3 - HKLM\..\Toolbar: (Recipe Hub) - {cf51de5b-eb36-4114-bb69-84df63fbadb4} - C:\Program Files (x86)\RecipeHub_2j\bar\1.bin\2jbar.dll (MindSpark)
O3 - HKLM\..\Toolbar: (PopularScreensavers) - {f339a07f-9578-412d-85e0-b8a80277151a} - C:\Program Files (x86)\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - C:\Users\gwen\AppData\Roaming\ShopAtHome\ShopAtHomeToolbar\tbcore3U.dll (ShopAtHome.com)
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (MapsGalaxy) - {364EA597-E728-4CE4-BB4A-ED846EF47970} - C:\Program Files (x86)\MapsGalaxy_39\bar\1.bin\39bar.dll File not found
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (VideoDownloadConverter) - {48586425-6BB7-4F51-8DC6-38C88E3EBB58} - C:\Program Files (x86)\VideoDownloadConverter_4z\bar\1.bin\4zbar.dll File not found
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (Coupons.com CouponBar) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - C:\Program Files (x86)\Coupons.com CouponBar\tbcore3.dll ()
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (TotalRecipeSearch) - {A0154E07-2B48-475C-A82A-80EFD84EA33E} - C:\Program Files (x86)\TotalRecipeSearch_14\bar\1.bin\14bar.dll (MindSpark)
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (Recipe Hub) - {CF51DE5B-EB36-4114-BB69-84DF63FBADB4} - C:\Program Files (x86)\RecipeHub_2j\bar\1.bin\2jbar.dll (MindSpark)
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (PopularScreensavers) - {F339A07F-9578-412D-85E0-B8A80277151A} - C:\Program Files (x86)\PopularScreensavers_7i\bar\1.bin\7ibar.dll (MindSpark)
O4 - HKLM..\Run: [Recipe Hub Search Scope Monitor] "C:\PROGRA~2\RECIPE~2\bar\1.bin\2jsrchmn.exe" /m=2 /w /h File not found
O4 - HKLM..\Run: [RecipeHub_2j Browser Plugin Loader] C:\PROGRA~2\RECIPE~2\bar\1.bin\2jbrmon.exe File not found
O4 - HKU\S-1-5-18..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup File not found
O4 - HKU\S-1-5-18..\Run: [Norton Download Manager{NSME22-B22-4abb-B07C-C084B04B4F12}] C:\Program Files (x86)\Norton Management\Engine\3.2.0.19\ccSvcHst.exe /m File not found
O4 - HKU\S-1-5-19..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup File not found
O4 - HKU\S-1-5-20..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup File not found
[2013/06/13 16:25:33 | 004,745,728 | ---- | C] (AVAST Software) -- C:\Users\Cliff\Desktop\aswMBR.exe
[2013/06/01 17:01:54 | 000,000,000 | ---D | C] -- C:\Users\Cliff\AppData\Local\RecipeHub_2j
[2013/05/27 17:16:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\LyricsFan
[2013/06/02 15:13:06 | 000,001,316 | ---- | M] () -- C:\Users\Public\Desktop\More Great Games.lnk

:Files
C:\PROGRA~2\MAPSGA~2

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[thewebguy]

OK...

Sendori Removed

While in that process there was an adware item that popped up...I attached the URL in the log called 'crap' below.

Ran OTL with fixes and then quick scan, see below.

Trying to get last of the windows updates in...will advise.
The startup error is hit or miss...started fine today and restarts no issues...idk 

[essexboy]

How is the computer behaving otherwise ?

[thewebguy]

OK
The start error is not happening anymore...?

Admin (user #1) is working fine. No popups etc...

HOWEVER, It wont update 3 of the windows updates (kb2552343, kb2547666, kb2532531) I tried to manually install them and it says these are not applicable for this computer???! Why is it saying they need to be updated?!? Maybe need to flush update history?

ATTACHED you will find the logs for user#2. When starting their account, I get a couple RUNDLL errors, and there where popups and adware. Malwarebytes found 2 infections...

I deleted a pc health kit (or something like that) program that kept trying to scare me about the number of infections on here...we know better

[thewebguy]

logs user#2

[thewebguy]

JRT from user #2

[essexboy]

OK system two .. I believe that is Gwen

Download the attached fix.txt to her desktop

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Press the run fix button
• A dialogue will appear asking for the location of fix.txt
• Locate the fix.txt you downloaded and select
• Press run fix again

[thewebguy]

OK fix ran from OTL on #2 Gwen.

Will send info for user#3 shortly.

Anything else I should do right now?
What about failed updates?

[essexboy]

The failed updates appear to be ones that have been superceded

How is Gwen running now ?

[thewebguy]

Gwen seems ok now.

On #3...'Guest' account. Ran the tests and some of the logs have disappeared?
Malwarebytes found something (attached) and the other logs I have are attached.

Guest account is getting RUNDLL errors...and again, toolbars redirects, ads...

As for the updates that are 'old'...how can I clean the cache in the update history so it stops trying to load them...

[essexboy]

For the updates.. Right click and select hide


On completion of this can you let me know how all users are behaving please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {0953a3a2-9223-4990-a1c9-efb4d4686ef2} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {5e89d89e-4280-65b4-95ac-388697067b31} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {8a7d2060-824d-4b17-b00a-759b1b5f30d9} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {a8625cb7-85fe-4936-92a4-b2a7c925209e} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\URLSearchHook: {cc8ae5b8-005b-4b1a-a27d-307eddffe5c8} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {0953a3a2-9223-4990-a1c9-efb4d4686ef2} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {26842a09-ffa8-4e2c-ae12-0c80f01c3295} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {327f75ed-061b-4339-8cc6-5dd45ad1396d} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {4cff1016-c2e2-4fdd-9c67-e32200c25ff9} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {5e89d89e-4280-65b4-95ac-388697067b31} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {72a0f495-ba60-4524-827b-b36b8c18587a} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {7b9f8c21-46ec-4c0b-8683-e755ef84577a} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {8a7d2060-824d-4b17-b00a-759b1b5f30d9} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {93a3111f-4f74-4ed8-895e-d9708497629e} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {a8625cb7-85fe-4936-92a4-b2a7c925209e} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {cc8ae5b8-005b-4b1a-a27d-307eddffe5c8} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {D3D233D5-9F6D-436C-B6C7-E63F77503B30} - No CLSID value found
IE - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\URLSearchHook: {ebd898f8-fcf6-4694-bc3b-eabc7271eeb1} - No CLSID value found
FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files (x86)\Free Ride Games\npExentCtl.dll File not found
FF - HKLM\Software\MozillaPlugins\@GamingWonderland.com/Plugin: C:\Program Files (x86)\GamingWonderland\bar\2.bin\NPgtStub.dll File not found
FF - HKCU\Software\MozillaPlugins\facebook.com/fbDesktopPlugin: C:\Users\Cliff\AppData\Local\Facebook\Messenger\2.1.4801.0\npFbDesktopPlugin.dll File not found
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\games@acandy.com: C:\Users\Cliff\AppData\Local\ArcadeCandy\games@acandy.com
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-1000\..\Toolbar\WebBrowser: (no name) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {311B58DC-A4DC-4B04-B1B5-60299AD3D803} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {3462C343-BE19-4143-AF70-CEFB56F46FC6} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {364EA597-E728-4CE4-BB4A-ED846EF47970} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {8660E5B3-6C41-44DE-8503-98D99BBECD41} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {A0154E07-2B48-475C-A82A-80EFD84EA33E} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {C80BDEB2-8735-44C6-BD55-A1CCD555667A} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {EBD898F8-FCF6-4694-BC3B-EABC7271EEB1} - No CLSID value found.
O3 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501\..\Toolbar\WebBrowser: (no name) - {F339A07F-9578-412D-85E0-B8A80277151A} - No CLSID value found.
O4 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501..\Run: [Exetender] "C:\Program Files (x86)\Free Ride Games\GPlayer.exe" /runonstartup File not found
O4 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background File not found
O4 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501..\Run: [p5PopularScreensaversWallpaper] rundll32 C:\PROGRA~2\POPULA~3\p5ScrCtr.dll,LES File not found
O4 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501..\Run: [SearchProtect] C:\Users\Guest\AppData\Roaming\SearchProtect\bin\cltmng.exe File not found
O4 - HKU\S-1-5-21-3774201525-2393300572-3973472274-501..\Run: [Yontoo Desktop] "C:\Users\gwen\AppData\Roaming\Yontoo\YontooDesktop.exe" File not found
[2013/06/15 18:00:00 | 000,000,462 | ---- | M] () -- C:\Windows\tasks\SpeedMaxPc Registration3.job

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[thewebguy]

Guest #3 OTL

Ill let you know how all is running in a few....