Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Browser Hijack PaintTool Sai webswitch
#1
https://speccy.piriform.com/results/MczCtLpda7AUllWI2VSMpNc

My daughter wanted some freeware called PaintTool Sai. I researched it, seemed legit, and gave her permission to DL it. This is the website; https://painttool-sai.en.softonic.com/

I run comodo and I installed it and gave it permission.

Next I saw a video downloader tool on the desktop and also some kind of speedier PC icon. I deleted those two icons from the desktop and there was still a loading icon going;

[Image: jjjjjj_zpswrwshrvo.jpg]

and then it installed the Painttool sai.

Next thing I noticed on firefox my browser had been changed to http://www.webswitch.tk

[Image: hi_zpsbz13j4dz.jpg]

Also on my desktop it is asking if I wanted to download a software update

[Image: jj_zpsg5gnt8vo.jpg]

I have random tabs popping up asking to help

[Image: jjjj_zpsijezyfqj.jpg]

[Image: hijack_zpsxyf85gd4.jpg]

It is looking fishy from the processes

[Image: h_zpskhspxfdd.jpg]

I killed the only odd process I see under explorer.exe, and the grey processes won't let me cease those through comodo killswitch.

[Image: jjjjj_zpstd9l4lvm.jpg]

It is even happening right now, another tab opened.

I used advanced uninstaller to remove the programs and remove the traces, but to no avail.


I ran Comodo and it removed some items but nothing. I ran malwarebytes and it removed some items but no change.

I tried booting to safe mode and it stalls on the pulg n play monitor driver.

So then I used Comodo's rescue disk and it removed some items (HEUR.packed, bassmod) but still no change.

Any help would be appreciated!

Thanks,
Chris

#2
I accidentally downloaded Trovi.com browser hijacker onto my mother's PC and was referred to this site that helped, they may have one for yours. https://www.anvisoft.com/resources/how-to-remove-trovi-com-browser-hijacker/

#3
I don,t like downloading from softoinc its look like you got some malware on your system

start running malwarebytes


https://www.malwarebytes.org/var7-free-dl/

junkware removal tool


https://www.bleepingcomputer.com/download/junkware-removal-tool/

#4
To add to the list adwcleaner

and Emsisoft Emergency Kit

#5
Step 1

[Image: Emsisoft-Emergency-Kit.jpg] Please Download Emsisoft Emergency Kit to your desktop.

·         Please double click EmsisoftEmergencyKit.exe this will install Emsisoft Emergency Kit
·         Next  choose Extract it will put program in C:\EEK
·         Navigate to C:\EEK then click "Start Emergency Kit Scanner .exe"
·         Click Yes to User Account Control (UAC)
·         Click Yes to Update Signature Definitions  
·         Now click " Smart Scan "and select Yes" to "Detect Potently Unwanted Programs (PuPs) "
·         Click Delete Selected  then click View Report and save as EEK.log.  
·         Click Finish and post EEK.log on next post.

Step 2

[Image: malwarebytes-icon.png] Scan with Malwarebytes Anti-Malware

Please download
 Malwarebytes Anti-Malware and save it to your desktop.

·         Please Install the Malwarebytes and select update.

·         Next, click the Settings, on the the left panel choose Detections & protection and Tick Scan for Rootkits.

·         Then Click the Scan tab, on bottom right click Main Menu then choose Threat Scan make sure radio button is selected on Threat and click Scan Now.

·         Click the Apply Actions button to remove threats if any. You will now be prompted to reboot. Click Yes.

·         After the reboot, click the History tab.

·         Click Application Logs and double-click the Scan Log.

·         At the bottom click Export and choose Text file.

Save the file to your desktop and post log file contents in your next reply.

Step 3

Please download [Image: adwcleane.png] AdwCleaner (by Xplode) and save it to your Desktop

  • Right-click on AdwCleaner.exe and Run as administrator
  • Click Scan. (AdwCleaner will now scan for Adware.)

  • Once scan finishes, click Clean, now follow the on screen prompts.

  • Your computer should now reboot.

  • A log file will automatically open. Please Copy and Paste when you replay in your next post.


Note: The log can also be found in here: C:\AdwCleaner\


Step 4

[Image: FRST.png]Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Right-click on [Image: FRST.png] icon and select [Image: RunAsAdmin.jpg] Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please copy and paste their content into your next reply.
<left><form action="https://www.paypal.com/cgi-bin/webscr" method="post">If you are satisfied with my help, consider a donation. Thank you so much for your continued support! 
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="Y4ZDLXGFS4F8Q">
<input type="image" src="https://www.paypalobjects.com/en_US/GB/i/btn/btn_donateCC_LG.gif" border="0" name="submit" alt="PayPal — The safer, easier way to pay online.">
<img alt="" border="0" src="https://www.paypalobjects.com/en_GB/i/scr/pixel.gif" width="0" height="0">
</form>

   </div></left> 

#6
(04-15-2015, 12:40 PM)Britec Wrote:  Step 1

[Image: Emsisoft-Emergency-Kit.jpg] Please Download Emsisoft Emergency Kit to your desktop.

·         Please double click EmsisoftEmergencyKit.exe this will install Emsisoft Emergency Kit
·         Next  choose Extract it will put program in C:\EEK
·         Navigate to C:\EEK then click "Start Emergency Kit Scanner .exe"
·         Click Yes to User Account Control (UAC)
·         Click Yes to Update Signature Definitions  
·         Now click " Smart Scan "and select Yes" to "Detect Potently Unwanted Programs (PuPs) "
·         Click Delete Selected  then click View Report and save as EEK.log.  
·         Click Finish and post EEK.log on next post.

Step 2

[Image: malwarebytes-icon.png] Scan with Malwarebytes Anti-Malware

Please download
 Malwarebytes Anti-Malware and save it to your desktop.

·         Please Install the Malwarebytes and select update.

·         Next, click the Settings, on the the left panel choose Detections & protection and Tick Scan for Rootkits.

·         Then Click the Scan tab, on bottom right click Main Menu then choose Threat Scan make sure radio button is selected on Threat and click Scan Now.

·         Click the Apply Actions button to remove threats if any. You will now be prompted to reboot. Click Yes.

·         After the reboot, click the History tab.

·         Click Application Logs and double-click the Scan Log.

·         At the bottom click Export and choose Text file.

Save the file to your desktop and post log file contents in your next reply.

Step 3

Please download [Image: adwcleane.png] AdwCleaner (by Xplode) and save it to your Desktop


  • Right-click on AdwCleaner.exe and Run as administrator
  • Click Scan. (AdwCleaner will now scan for Adware.)

  • Once scan finishes, click Clean, now follow the on screen prompts.

  • Your computer should now reboot.

  • A log file will automatically open. Please Copy and Paste when you replay in your next post.


Note: The log can also be found in here: C:\AdwCleaner\


Step 4

[Image: FRST.png]Scan with Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool x64 and save it to your Desktop.
  • Right-click on [Image: FRST.png] icon and select [Image: RunAsAdmin.jpg] Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • When the tool opens click Yes to disclaimer.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.
Please copy and paste their content into your next reply.


It is not allowing me to delete or quarantine the entries.


Attached Files
.txt   a2scan_150415-164313.txt (Size: 6.95 KB / Downloads: 8)

#7
its not allowing to delete or quarantine for Emsisoft Emergency Kit? try running it in safe mode

it deleted a lot of stuff how is your system running

#8
That is what I am saying, it wouldn't delete anything. I would hit the delete, it would ask if ok, then all the items would stay on the list.

Here is the ADW report;
# AdwCleaner v4.201 - Logfile created 15/04/2015 at 21:36:34
# Updated 08/04/2015 by Xplode
# Database : 2015-04-15.1 [Server]
# Operating system : Windows 7 Ultimate Service Pack 1 (x64)
# Username : Tophu - ZOE
# Running from : C:\Users\Tophu\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\Browser
Folder Deleted : C:\ProgramData\NetEngine
Folder Deleted : C:\Program Files (x86)\Dll-Files.com Fixer
Folder Deleted : C:\Users\Administrator\AppData\Roaming\dll-files.com
Folder Deleted : C:\Users\Tophu\AppData\Local\PackageAware
Folder Deleted : C:\Users\Tophu\AppData\Local\HealthAlert
Folder Deleted : C:\Users\Tophu\AppData\LocalLow\Check Point Software Technologies LTD
Folder Deleted : C:\Users\Tophu\AppData\Roaming\CheckPoint\ZoneAlarm LTD Toolbar
Folder Deleted : C:\Users\Tophu\AppData\Roaming\dll-files.com
Folder Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1xl913kt.default​\Extensions\adremoveext@adremoveext.net
File Deleted : C:\Windows\System32\roboot64.exe
File Deleted : C:\Users\Administrator\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Dll-Files Fixer.lnk
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\nsprotector.js
File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\1xl913kt.default​\user.js
File Deleted : C:\Users\Tophu\AppData\Roaming\Mozilla\Firefox\Profiles\3vvmjcox.default-1418476670562\user.js

***** [ Scheduled tasks ] *****

[x] Not Deleted : DLL-Files.Com Fixer_MONTHLY
[x] Not Deleted : DLL-Files.Com Fixer_Updates
Task Deleted : NetEngine

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Classes\pokki
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\MozillaPlugins\@checkpoint.com/FFApi
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{06DEB529-DE09-43EC-B6E2-451AAB0FF000}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA0C978D-D909-49B6-AFE2-8BDE245DC7E6}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12C1F3F5-4FB2-4191-A1FD-CA464E6823C0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6FA9C2C7-B82C-4944-B077-E1D8EA9E2B3D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{730C3A0D-8C88-468A-B617-7E9913DD6ABC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{83CAD530-387D-40FD-82EA-B9E863D92A9B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AA267627-1EF3-4619-A982-8B57C636CA73}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C11CE4D0-9C73-491D-A95C-23C0B7BBD490}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{03EB0E9C-7A91-4381-A220-9B52B641CDB1}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{051E9166-B275-4683-907B-372FAE22BC7C}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{E5A7A645-8318-4895-B85C-EDC606B80DB6}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{9CB96984-43C3-4D44-90EF-01466EFCF7BB}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{015DB5FA-EAFB-4592-A95B-F44D3EE87FA9}
Key Deleted : HKCU\Software\SearchProtect
Key Deleted : HKCU\Software\dll-files.com
Key Deleted : HKCU\Software\AppDataLow\Software\BackgroundContainer
Key Deleted : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
Key Deleted : HKCU\Software\AppDataLow\Software\DynConIE
Key Deleted : HKCU\Software\AppDataLow\Software\Search Settings
Key Deleted : HKLM\SOFTWARE\PIP
Key Deleted : HKLM\SOFTWARE\PrimoPDF\OpenCandy
Key Deleted : HKLM\SOFTWARE\dll-files.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dll-Files Fixer_is1

***** [ Web browsers ] *****

-\\ Internet Explorer v10.0.9200.17267


-\\ Mozilla Firefox v37.0.1 (x86 en-US)

[3vvmjcox.default-1418476670562\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Trovi");

-\\ Google Chrome v


-\\ Comodo Dragon v36.1.1.21


*************************

AdwCleaner[R0].txt - [4946 bytes] - [15/04/2015 21:26:27]
AdwCleaner[R1].txt - [5003 bytes] - [15/04/2015 21:28:25]
AdwCleaner[S0].txt - [4822 bytes] - [15/04/2015 21:36:34]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [4881 bytes] ##########

#9
try running it in safe mode





how is your system running after doing the scans

#10
Yeah buddy, I can't get into safe mode, which is what I was saying there in the original post. It hangs up at PNP monitor driver and then never actually goes into safe mode, because you lose monitor.

But, I do have a UAC system admin account besides Zoe's account, and I am operating in it and will give the Emisoft another run.

Downside is 4 hours worth of scanning!

Teedering on a reformat at this point...

I have malwarebytes scanning as well right now.

Will post results later tonight.

ADW's cleaning did not work. BTW



Forum Jump:


Users browsing this thread:
1 Guest(s)

Powered By MyBB, © 2002-2024 Melroy van den Berg.