Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ads popping up and redirectrion on website

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: ads popping up and redirectrion on website

Unread postby Gary R » January 18th, 2014, 6:22 pm

OK. looks like that was successful, please post the log from Microsoft Safety Scanner as soon as you've run it, and let me know how your computer is behaving now.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Re: ads popping up and redirectrion on website

Unread postby hamman » January 18th, 2014, 9:43 pm

Hello,

I finished the scan, but it did not give me a log to print, but it had the following message in a box:

Adware:Win32/BetterSurf Partially removed

The computer seems to be working fine as I am not using chrome and I am not seeing me being switched to different websites or strange ads to marry Russia Women :P

Oops... here is the Scan Log



---------------------------------------------------------------------------------------

Microsoft Safety Scanner v1.0, (build 1.165.2219.0)
Started On Sat Jan 18 15:01:25 2014

Extended Scan Results
----------------
->Scan ERROR: resource process://pid:2164 (code 0x00000005 (5))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x0000054F (1359))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x0000054F (1359))
->Scan ERROR: resource file://C:\hiberfil.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\pagefile.sys (code 0x00000020 (32))
->Scan ERROR: resource file://C:\System Volume Information\{34e26cfd-7fc2-11e3-84e8-60eb693077d3}{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
->Scan ERROR: resource file://C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} (code 0x00000005 (5))
Threat detected: Adware:Win32/BetterSurf
containerfile://C:\FRST\Quarantine\VideoPlayerV3beta147.crx
SHA1: EBB7CF3CE8BCDF25D93FA87634F85A47A97A96F1
containerfile://C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx
SHA1: EBB7CF3CE8BCDF25D93FA87634F85A47A97A96F1
containerfile://C:\Users\Palii\AppData\Local\Temp\Setup1.exe
SHA1: CBE6E17F85A8A7C7EE54CB73BDB52652AECAC167
file://C:\FRST\Quarantine\VideoPlayerV3beta147.crx->ffVideoPlayerV3beta147chaction.js
SigSeq: 0x0001BF290E5CBFC5
SHA1: 2F68DD3407C11E1667CBFA2E9EFB15F06D31FB9D
file://C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta147\ff\chrome\content\ffVideoPlayerV3beta147ffaction.js
SigSeq: 0x0001BF290E5CBFC5
SHA1: 3D1758099611791C805F4152C13114EF3B7F2104
file://C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx->ffVideoPlayerV3beta147chaction.js
SigSeq: 0x0001BF290E5CBFC5
SHA1: 2F68DD3407C11E1667CBFA2E9EFB15F06D31FB9D
file://C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-ffVideoPlayerV3beta147ffaction.js)
SigSeq: 0x0001BF290E5CBFC5
file://C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-VideoPlayerV3beta147.crx)->ffVideoPlayerV3beta147chaction.js
SigSeq: 0x0001BF290E5CBFC5
file://C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-VideoPlayerV3beta147.dll)
SigSeq: 0x000215782C1DAD75
SHA1: ED66CC38EDFC68E62F4B86369DFBB84FACE52AD9

Extended Scan Removal Results
----------------
Start 'remove' for file://\\?\C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-VideoPlayerV3beta147.dll)
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-VideoPlayerV3beta147.crx)->ffVideoPlayerV3beta147chaction.js
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\C:\Users\Palii\AppData\Local\Temp\Setup1.exe->(nsis-1-ffVideoPlayerV3beta147ffaction.js)
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx->ffVideoPlayerV3beta147chaction.js
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for file://\\?\C:\Program Files (x86)\VideoPlayerV3\VideoPlayerV3beta147\ff\chrome\content\ffVideoPlayerV3beta147ffaction.js
Operation succeeded !

Start 'remove' for file://\\?\C:\FRST\Quarantine\VideoPlayerV3beta147.crx->ffVideoPlayerV3beta147chaction.js
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for containerfile://\\?\C:\Users\Palii\AppData\Local\Temp\Setup1.exe
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for containerfile://\\?\C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx
Operation failed (code=0x8026), please use a full antivirus product ! !

Start 'remove' for containerfile://\\?\C:\FRST\Quarantine\VideoPlayerV3beta147.crx
Operation failed (code=0x8026), please use a full antivirus product ! !


Results Summary:
----------------
Found Adware:Win32/BetterSurf, partially removed.
Microsoft Safety Scanner Finished On Sat Jan 18 19:39:35 2014


Return code: 7 (0x7)
hamman
Active Member
 
Posts: 13
Joined: January 16th, 2014, 12:22 am

Re: ads popping up and redirectrion on website

Unread postby Gary R » January 19th, 2014, 8:15 am

It appears we've still got a couple of files that need removing ...

  • Click Start
  • Type notepad.exe in the search programs and files box and clcik Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad. (don't include Code: Select all)
Code: Select all
C:\Users\Palii\AppData\Local\Temp\Setup1.exe
C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe.

Next

Let's clean out all your temporary files, these are files which your computer creates to resolve a temporary problem, they're usually removed automatically, but many are not, and over time they build up and can cause problems. As you can see from the 2 files we've just removed with FRST, they're also a place where the "bad guys" like to hide things ...

Download TFC by OldTimer to your Desktop.
  • Close ALL running applications as TFC will terminate them before attempting to clean up the temporary files.
  • Double-click on the TFC icon.
  • When the program starts, click on the Start button. TFC will terminate the Explorer process and all running applications and then begin the process of cleaning out all of your temp folders.
  • When done, press OK to reboot your computer and finish the cleanup.

LET ME KNOW HOW YOUR COMPUTER IS RUNNING NOW PLEASE.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: ads popping up and redirectrion on website

Unread postby hamman » January 19th, 2014, 12:41 pm

Hello Again,

I was able to run the FRST program just fine. I ran TFC and it ran for a while and produced something on the screen showing what it did, but do not know where to find the log file to set to you. So, I just copied what was on the screen if that was ok.

Today I will use the computer and report to you on how things are going. The problems seemed to me on the internet cause every time I clicked on an area it would open another page or I would see ads on the side of pages. Now most of this was using Chrome, I believe. So, it could have happen when Chrome was downloaded.

Do you have recommendations for a good malware program or if you do not do that so that you can stay neutral.

Here is the log from FRST

FixLog

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 19-01-2014
Ran by Palii at 2014-01-19 07:27:36 Run:4
Running from C:\Users\Palii\Desktop
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Palii\AppData\Local\Temp\Setup1.exe
C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx

*****************

C:\Users\Palii\AppData\Local\Temp\Setup1.exe => Moved successfully.
C:\Users\Palii\AppData\Local\Temp\scoped_dir_3328_1227\VideoPlayerV3beta147.crx => Moved successfully.

==== End of Fixlog ====


Item list displayed from TFC

Getting user folders.

Stopping running processes.

Emptying Temp folders.


User: All Users

User: Deborah
->Temp folder emptied: 357629626 bytes
->Temporary Internet Files folder emptied: 569906328 bytes
->Java cache emptied: 464 bytes
->Google Chrome cache emptied: 200528019 bytes
->Flash cache emptied: 17870 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User

User: Palii
->Temp folder emptied: 224626230 bytes
->Temporary Internet Files folder emptied: 518863232 bytes
->Java cache emptied: 464 bytes
->Flash cache emptied: 3139 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 255844106 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 41578 bytes
%systemroot%\system32\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 753 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 43276267 bytes
%systemroot%\sysnative\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment folder emptied: 743 bytes

Emptying RecycleBin. Do not interrupt.

RecycleBin emptied: 146278679 bytes
Process complete!

Total Files Cleaned = 2,210.00 mb
hamman
Active Member
 
Posts: 13
Joined: January 16th, 2014, 12:22 am

Re: ads popping up and redirectrion on website

Unread postby Gary R » January 19th, 2014, 2:11 pm

Looks like we've got everything now, time to clean out the programs we've been using on your machine ....

First

To remove ADWCleaner ....

  • Double click AdwCleaner.exe to run it.
  • Click Uninstall.
  • Click Yes to the prompt.
  • AdwCleaner will close and uninstall itself

Note: If AdwCleaner prompts you an update is available, click Cancel and continue to uninstall.

Next ...

To remove OTL & FRST and the files and folders they created (this will also remove SystemLook and TFC) ....

  • Double click OTL.exe to launch the programme.
  • Click on the CleanUp! button.
  • OTL will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
  • You will be prompted to allow the clean up procedure, click Yes
  • When finished exit out of OTL
  • Now delete OTL.exe (if still present).

Next ...

Please go to Control Panel > Programs > Uninstall a program and Uninstall the following:

Tweaking.com Registry Backup


As far as I can see, your computer looks clear of infection now.

Are you still noticing any problems ?
  • If you are let me know about them.
  • If not it's time to make your computer more secure.

You asked me about recommendations for AV products, so please read the article below which will give you a few suggestions for how to minimise your chances of getting another infection.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: ads popping up and redirectrion on website

Unread postby hamman » January 19th, 2014, 3:23 pm

Hello,

I want to thank you for your help in cleaning up the computer as I appreciate it very much.

Wish I had the time or wonder if I could get approved to learn and give back to the community like your group does. In my retirement years, I always look back at my career in IT. I was a support and or programmer for Mainframes and PC in my last years of the business. I always enjoyed teaching and support people in solving their problems.

I understand the satisfaction in solving a problem and seeing things move in a positive direction. Enjoyed writing programs that made people productive and showing how installed programs could be their friend.

So, I understand the pleasure you get from helping people and again, I thank you for your help and being a professional in your directions and your time to work with me in making this a safer computer.

Thanks for all you do..

Ha1mman
hamman
Active Member
 
Posts: 13
Joined: January 16th, 2014, 12:22 am

Re: ads popping up and redirectrion on website

Unread postby Gary R » January 20th, 2014, 6:22 am

You're welcome, glad we were able to help you. :)

If you ever feel like you'd like to learn about removing malware, we do run a training course on the subject ... viewtopic.php?p=625091#p625091 ... age is no barrier, since a lot of us are retired or close to retirement.

Keep safe.

Gary

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21868
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 57 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware