Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

"Luckysearches" hijacking browser and other adware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: "Luckysearches" hijacking browser and other adware

Unread postby mAL_rEm018 » April 6th, 2015, 3:41 am

Hello TheDoctor46,


I noticed that you did not re-enable Microsoft Security Essentials after the ESET scan. If you haven't already done so, please do the following:
  • Right-click on the Microsoft Security Essentials logo and select Open.
  • Open Settings and click Real Time Protection.
  • Ensure that the following box is checked:
    Turn on real time protection
  • Select Save changes and exit Microsoft Security Essentials.


MSConfig should not be used to disable programs from running as a long term solution. Why did you disable MSI Live Update?
==================== MSCONFIG/TASK MANAGER disabled items ==

(Currently there is no automatic fix for this section.)

MSCONFIG\startupreg: Live Update => C:\Program Files (x86)\MSI\Live Update\Live Update.exe /REMINDER



TheDoctor46 wrote:Luckysearches still appears as the first page when I open Opera. Maybe it's this registry entry causing that. It's still in the registry. It was picked up by the FarBar scan done near the start of this thread.

Yes this entry is most likely the culprit, however we already tried to remove it. At this point, my advise would be to remove Opera completely and re-install it. In order to do this, please follow the steps below..


In the following steps we will reset your Opera browser, therefore I advise you to backup any bookmarks before you remove it:



Removing a program in Windows 7
  • Click the Star Menu and select Control Panel.
  • Click Programs, then Programs and Features.
  • Select the following programs:
    Opera 12.14
    Opera Stable 28.0.1750.48
  • Select Uninstall.
    Make sure that delete my Opera user data is selected.
  • When prompted select Yes.
  • Answer any questions attentively.
  • When the process is finished, please restart your computer.
Note: you can only remove one program at a time.


Re-install Opera
  • Download and save to your desktop Opera from the following link Opera.
  • Right-click on Opera_NI_stable.exe and select Run as administrator.
  • Read the Terms of Service and if you agree select Accept and Install.


I need you to run the following fix..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
HKU\S-1-5-21-2940932314-315015785-212226153-1000\...\MountPoints2: {8095312a-039c-11e4-8021-d43d7e2bd256} - E:\RUS-Setup.exe
FF Extension: SharkManCoupon - C:\Users\Raymond\AppData\Roaming\Mozilla\Firefox\Profiles\yporo9y6.default\Extensions\_ldod_kbrcdtsauxcc@hvwvdh_uskydndcolx.org [2015-04-03]
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
AlternateDataStreams: C:\Users\Public\DRM:احتضان
B:\$RECYCLE.BIN\S-1-5-21-2940932314-315015785-212226153-1000\$R5KS6QQ.exe
B:\Users\Raymond\Desktop\Games Related\Monitoring tools\coretemp_1236.exe

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Next..

  • Please download a fresh copy of AdwCleaner to you Desktop from here.
  • Close all your programs and right-click adwcleaner_4.200.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Logfile.
  • A notepad window will open. Please copy/paste the contents in your next reply.
    Note: do not select Cleaning at this point


I need you to run a search..
  • Please download System look to your desktop.
  • Right-click on SystemLook_x64.exe and select Run as administrator.
  • A window will open. Copy/paste the following inside the window:
    Code: Select all
    :filefind
    *Lucky Searches*
    *Luckysearches*
    *SharkManCoupon*
    
    :folderfind
    *Lucky Searches*
    *Luckysearches*
    *SharkManCoupon*
    
    :regfind 
    Lucky Searches
    Luckysearches
    SharkManCoupon
    
  • Select Look and the scan will start.
  • After the scan is finished a window will open. Please post the content in your next reply.



-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble performing any of the steps?
  • Answer to my question.
  • fixlog.txt
  • AdwCleaner Logfile.
  • System Look log.
  • Is Lucky Searches still affecting you opera browser?
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia
Advertisement
Register to Remove

Re: "Luckysearches" hijacking browser and other adware

Unread postby TheDoctor46 » April 6th, 2015, 7:45 am

I turned MS security essentials back on at the end of doing all the scans in my last reply.

MSI live update was probably disabled in msconfig because it was a nuisance or too insistent on pushing me to update non-essential services, or notifying me about updates I was aware of or had chosen not to install. I run it manually form time to time to check updates. Most of the updates it would recommend to me I manually install anyway via other means.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Raymond at 2015-04-06 12:32:35 Run:3
Running from B:\Users\Raymond\Desktop\FRST
Loaded Profiles: Raymond (Available profiles: Raymond)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
HKU\S-1-5-21-2940932314-315015785-212226153-1000\...\MountPoints2: {8095312a-039c-11e4-8021-d43d7e2bd256} - E:\RUS-Setup.exe
FF Extension: SharkManCoupon - C:\Users\Raymond\AppData\Roaming\Mozilla\Firefox\Profiles\yporo9y6.default\Extensions\_ldod_kbrcdtsauxcc@hvwvdh_uskydndcolx.org [2015-04-03]
S3 cpuz138; \??\C:\Windows\TEMP\cpuz138\cpuz138_x64.sys [X]
AlternateDataStreams: C:\Users\Public\DRM:احتضان
B:\$RECYCLE.BIN\S-1-5-21-2940932314-315015785-212226153-1000\$R5KS6QQ.exe
B:\Users\Raymond\Desktop\Games Related\Monitoring tools\coretemp_1236.exe

*****************

"HKU\S-1-5-21-2940932314-315015785-212226153-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8095312a-039c-11e4-8021-d43d7e2bd256}" => Key deleted successfully.
HKCR\CLSID\{8095312a-039c-11e4-8021-d43d7e2bd256} => Key not found.
C:\Users\Raymond\AppData\Roaming\Mozilla\Firefox\Profiles\yporo9y6.default\Extensions\_ldod_kbrcdtsauxcc@hvwvdh_uskydndcolx.org => Moved successfully.
cpuz138 => Service deleted successfully.
C:\Users\Public\DRM => ":احتضان" ADS removed successfully.
B:\$RECYCLE.BIN\S-1-5-21-2940932314-315015785-212226153-1000\$R5KS6QQ.exe => Error: No automatic fix found for this entry.
B:\Users\Raymond\Desktop\Games Related\Monitoring tools\coretemp_1236.exe => Error: No automatic fix found for this entry.

==== End of Fixlog 12:32:36 ====



# AdwCleaner v4.200 - Logfile created 06/04/2015 at 12:40:48
# Updated 29/03/2015 by Xplode
# Database : 2015-03-29.1 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Raymond - RMWD-Z77
# Running from : B:\Users\Raymond\Desktop\adwcleaner_4.200.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v37.0.1 (x86 en-US)

[yporo9y6.default] - Line Found : user_pref("extensions.crossrider.bic", "14c6b5e3fe149b736985c3757bc5cbd3");

-\\ Chromium v


*************************

AdwCleaner[R0].txt - [24092 bytes] - [30/03/2015 16:43:13]
AdwCleaner[R1].txt - [932 bytes] - [30/03/2015 16:45:50]
AdwCleaner[R2].txt - [876 bytes] - [06/04/2015 12:40:48]
AdwCleaner[S0].txt - [22977 bytes] - [30/03/2015 16:44:06]

########## EOF - C:\AdwCleaner\AdwCleaner[R2].txt - [994 bytes] ##########



SystemLook 04.09.10 by jpshortstuff
Log created at 12:42 on 06/04/2015 by Raymond
Administrator - Elevation successful

========== filefind ==========

Searching for "*Lucky Searches*"
No files found.

Searching for "*Luckysearches*"
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fwww.luckysearches.com%2Ffavicon.png --a---- 636 bytes [15:06 30/03/2015] [15:06 30/03/2015] 64261493BB9C060F07AC4D119F2915AD
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\www.luckysearches.com.idx --a---- 152 bytes [16:23 30/03/2015] [16:23 30/03/2015] D8B04FCD5CE3E4BA768A635628FC60C2

Searching for "*SharkManCoupon*"
No files found.

========== folderfind ==========

Searching for "*Lucky Searches*"
No folders found.

Searching for "*Luckysearches*"
No folders found.

Searching for "*SharkManCoupon*"
No folders found.

========== regfind ==========

Searching for "Lucky Searches"
No data found.

Searching for "Luckysearches"
No data found.

Searching for "SharkManCoupon"
No data found.

-= EOF =-


Luckysearches isn't appearing in Opera anymore.
TheDoctor46
Active Member
 
Posts: 13
Joined: March 30th, 2015, 1:36 pm

Re: "Luckysearches" hijacking browser and other adware

Unread postby mAL_rEm018 » April 7th, 2015, 1:02 am

Hello TheDoctor46,

TheDoctor46 wrote:Luckysearches isn't appearing in Opera anymore.

That's good news :) however we still have a little more work to do.

TheDoctor46 wrote:MSI live update was probably disabled in msconfig because it was a nuisance or too insistent on pushing me to update non-essential services, or notifying me about updates I was aware of or had chosen not to install. I run it manually form time to time to check updates. Most of the updates it would recommend to me I manually install anyway via other means.

MSConfig should only be used as a troubleshooting tool and if used incorrectly could cause a lot of damage to your computer. If you want we can disable "MSI live update" from loading when your computer boots via other means and then you can run it whenever you wish. Let me know your decision in your next reply.



PUP (Potentially Unwanted Programs)
[yporo9y6.default] - Line Found : user_pref("extensions.crossrider.bic", "14c6b5e3fe149b736985c3757bc5cbd3");

Potentially Unwanted Programs (PUP) are software that have unpredictable behaviour and/or might have been installed on your computer without your direct consent. You might have installed them willingly, in which case feel free to keep them. However, if you did not I advise you to remove them. If you decide to remove this PUP, please follow the steps below to run AdwCleaner.



Adwcleaner
  • Close all your programs and right-click adwcleaner_4.200.exe and select Run as administrator.
  • Click on Scan.
  • After the scan is over, select Cleaning.
  • Note: All programs will be closed and your computer will be rebooted, therefore I advise you to save any unsaved work.
  • A notepad window will open. Please copy/paste the contents in your next reply.



I need you to run another fix..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fwww.luckysearches.com%2Ffavicon.png
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\www.luckysearches.com.idx
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"

CreateRestorePoint:

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log


-----------------------------------------
In your next reply, I would like to see..
  • Decision about "MSI live update"
  • AdwCleaner Log (if you chose to run it)
  • fixlog.txt
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: "Luckysearches" hijacking browser and other adware

Unread postby TheDoctor46 » April 7th, 2015, 3:06 am

OK, let's disable MSI update from startup another way.

For some reason ADWCleaner is not finding the crossrider program when it scans now. I tried twice. Even tried downloading the program again and rescanning.


Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Raymond at 2015-04-07 08:04:14 Run:4
Running from B:\Users\Raymond\Desktop\FRST
Loaded Profiles: Raymond (Available profiles: Raymond)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fwww.luckysearches.com%2Ffavicon.png
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\www.luckysearches.com.idx
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"

CreateRestorePoint:
*****************

C:\Users\Raymond\AppData\Local\Opera\Opera\icons\http%3A%2F%2Fwww.luckysearches.com%2Ffavicon.png => Moved successfully.
C:\Users\Raymond\AppData\Local\Opera\Opera\icons\www.luckysearches.com.idx => Moved successfully.

========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" =========


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
BtTray REG_SZ "C:\Program Files (x86)\Bluetooth Suite\BtTray.exe"
BtvStack REG_SZ "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
Cmaudio8788 REG_SZ C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd
Cmaudio8788GX REG_SZ C:\Windows\syswow64\HsMgr.exe Envoke
Cmaudio8788GX64 REG_SZ C:\Windows\system\HsMgr64.exe Envoke
EvtMgr6 REG_SZ C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
MSC REG_SZ "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
XboxStat REG_SZ "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
RTHDVCPL REG_SZ "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Start WingMan Profiler REG_SZ C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
NvBackend REG_SZ "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
ShadowPlay REG_SZ C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart



========= End of Reg: =========


========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" =========




========= End of Reg: =========


========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" =========


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools Lite REG_SZ "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun
NvLedServiceHost REG_SZ C:\Program Files (x86)\NVIDIA Corporation\LED Visualizer\NvLedServiceHost.exe RunStartup



========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" =========




========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========

Restore point was successfully created.

==== End of Fixlog 08:04:18 ====
TheDoctor46
Active Member
 
Posts: 13
Joined: March 30th, 2015, 1:36 pm

Re: "Luckysearches" hijacking browser and other adware

Unread postby mAL_rEm018 » April 7th, 2015, 6:16 pm

Hello TheDoctor46,

TheDoctor46 wrote:For some reason ADWCleaner is not finding the crossrider program when it scans now. I tried twice. Even tried downloading the program again and rescanning.

Can you see the extension in the Firefox Browser?

  • Open Firefox.
  • Click on Tools in the Menu bar.
  • Select Add-ons.
    Note: this can also be accomplished by pressing on Ctrl+Shift+A inside the browser.
  • Click on Extensions on the left-side panel. Try to locate the following:
    Crossrider
  • If the extension is present, select Remove.
  • Click Restart now. The extension should now be gone.


TheDoctor46 wrote:OK, let's disable MSI update from startup another way.

No problem, first we will need to re-enable MSI update. To do this, please follow the steps below..

Enable a program through CCleaner
  • Open the Start menu.
  • Inside the Search programs and files type the following:
    CCleaner
  • Right-click on CCleaner and select Run as administrator.
  • Select Tools from the left-side panel.
  • Open Startup.
  • Select the Windows tab. Locate the following program:
    MSI Live Update
  • Click Enable.
  • Exit CCleaner and reboot your computer.


Next..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" 
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" 
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log


-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble performing any of the steps?
  • Was Crossrider present in your Firefox browser, and if so were you able to remove it?
  • fixlog.txt
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: "Luckysearches" hijacking browser and other adware

Unread postby TheDoctor46 » April 8th, 2015, 3:30 am

Re-enabled MSI update

Crossrider is not in the list of firefox extensions. There are 4 in there and I know what all of them are.



Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Raymond at 2015-04-08 08:28:05 Run:5
Running from B:\Users\Raymond\Desktop\FRST
Loaded Profiles: Raymond (Available profiles: Raymond)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
Reg: reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run"
Reg: reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce"
*****************


========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" =========


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
BtTray REG_SZ "C:\Program Files (x86)\Bluetooth Suite\BtTray.exe"
BtvStack REG_SZ "C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe"
Cmaudio8788 REG_SZ C:\Windows\syswow64\RunDll32.exe C:\Windows\Syswow64\cmicnfgp.dll,CMICtrlWnd
Cmaudio8788GX REG_SZ C:\Windows\syswow64\HsMgr.exe Envoke
Cmaudio8788GX64 REG_SZ C:\Windows\system\HsMgr64.exe Envoke
EvtMgr6 REG_SZ C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
MSC REG_SZ "C:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
XboxStat REG_SZ "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
RTHDVCPL REG_SZ "C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe" -s
Start WingMan Profiler REG_SZ C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
NvBackend REG_SZ "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
ShadowPlay REG_SZ C:\Windows\system32\rundll32.exe C:\Windows\system32\nvspcap64.dll,ShadowPlayOnSystemStart



========= End of Reg: =========


========= reg.exe query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" =========




========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" =========


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
NvLedServiceHost REG_SZ C:\Program Files (x86)\NVIDIA Corporation\LED Visualizer\NvLedServiceHost.exe RunStartup



========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" =========




========= End of Reg: =========


========= reg.exe query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" =========

ERROR: The system was unable to find the specified registry key or value.


========= End of Reg: =========


========= reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" =========


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
USB3MON REG_SZ "C:\Program Files (x86)\Intel\Intel(R) USB 3.0 eXtensible Host Controller Driver\Application\iusb3mon.exe"
RUSB3MON REG_SZ "C:\Program Files (x86)\Renesas Electronics\USB 3.0 Host Controller Driver\Application\rusb3mon.exe"
IAStorIcon REG_SZ C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIconLaunch.exe "C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe" 60
WinampAgent REG_SZ "C:\Program Files (x86)\Winamp\winampa.exe"
HP Software Update REG_SZ C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
ControlCenterCount REG_SZ C:\Program Files (x86)\MSI\ControlCenter\ControlCenterCount.exe
Fast Boot REG_SZ C:\Program Files (x86)\MSI\Fast Boot\StartFastBoot.exe
SunJavaUpdateSched REG_SZ "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
Live Update REG_SZ C:\Program Files (x86)\MSI\Live Update\Live Update.exe /REMINDER



========= End of Reg: =========


========= reg.exe query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce" =========




========= End of Reg: =========


==== End of Fixlog 08:28:06 ====
TheDoctor46
Active Member
 
Posts: 13
Joined: March 30th, 2015, 1:36 pm

Re: "Luckysearches" hijacking browser and other adware

Unread postby mAL_rEm018 » April 8th, 2015, 11:34 am

Hello TheDoctor46,

TheDoctor46 wrote:Crossrider is not in the list of firefox extensions. There are 4 in there and I know what all of them are.


If you don't see the extension in your Firefox browser and AdwCleaner does not detect it anymore, then it's safe to say that it no longer is present on your computer


I noticed that your Firefox browser was outdated. If you have not already done so, please follow the steps below to update it.

Update Firefox
  • Open Firefox.
  • Click on Help in the Menu Bar.
  • Select About Firefox.
  • When the update has finished downloading, click Restart Firefox to Update.
    Firefox should now be updated. If you were unable to update FF, please let me know in your next post.


I need you to run a fix..

  • Click Start
  • Type notepad.exe in the search programs and files box and click Enter.
  • A blank Notepad page should open.
    • Copy/Paste the contents of the code box below into Notepad.
Code: Select all
Reg: reg.exe delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f

    • Save it to the same folder/directory that FRST.exe is in, naming it as fixlist.txt

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system

  • Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....
    • Press the Fix button once and wait.
    • FRST will process fixlist.txt
    • When finished, it will produce a log fixlog.txt in the same folder/directory as FRST64.exe
    • Please post me the log

Reboot your computer and please answer the following question
  • Does "MSI Live Update" still run at startup?


-----------------------------------------
In your next reply, I would like to see..
  • Did you have trouble performing any of the steps?
  • fixlog.txt
  • Answer to my question.
    Please post everything in the order given.
User avatar
mAL_rEm018
Admin/Teacher
Admin/Teacher
 
Posts: 2689
Joined: November 11th, 2013, 6:26 pm
Location: Saint-Petersburg, Russia

Re: "Luckysearches" hijacking browser and other adware

Unread postby TheDoctor46 » April 9th, 2015, 8:45 am

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 11-03-2015
Ran by Raymond at 2015-04-09 07:33:20 Run:6
Running from B:\Users\Raymond\Desktop\FRST
Loaded Profiles: Raymond (Available profiles: Raymond)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Reg: reg.exe delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f
*****************


========= reg.exe delete "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "Live Update" /f =========

The operation completed successfully.



========= End of Reg: =========


==== End of Fixlog 07:33:20 ====


MSI update has been disabled at startup now.
TheDoctor46
Active Member
 
Posts: 13
Joined: March 30th, 2015, 1:36 pm

Re: "Luckysearches" hijacking browser and other adware

Unread postby mAL_rEm018 » April 9th, 2015, 11:30 am

Hello TheDoctor46,

TheDoctor46 wrote:MSI update has been disabled at startup now.

Great! I have good news..there are no more signs of malware on your computer :) Please follow the steps below and then you'll be all set to go.


Let's remove the tools we have been using so far..
  • Please download Delfix to your desktop.
  • Right-click on delfix_10.9.exe and select Run as administrator.
  • Check the following boxes:
  • Remove disinfection tools
  • Purge system restore
  • You can safely remove any tools and/or logs that may remain on your computer.


  • You should read and get acquainted with the following topic COMPUTER SECURITY - a short guide to staying safer online , which goes into depth on how to keep your computer secure.


    I would really appreciate it if you could reply to this post to let me know that you've seen it, so that I can ask for this topic to be closed.
    User avatar
    mAL_rEm018
    Admin/Teacher
    Admin/Teacher
     
    Posts: 2689
    Joined: November 11th, 2013, 6:26 pm
    Location: Saint-Petersburg, Russia

    Re: "Luckysearches" hijacking browser and other adware

    Unread postby mAL_rEm018 » April 9th, 2015, 12:55 pm

    Hello TheDoctor46,

    TheDoctor46 wrote:MSI update has been disabled at startup now.

    Great! I have good news..there are no more signs of malware on your computer :) Please follow the steps below and then you'll be all set to go.


    Let's remove the tools we have been using so far..
    • Please download Delfix to your desktop.
    • Right-click on delfix_10.9.exe and select Run as administrator.
    • Check the following boxes:
    • Remove disinfection tools
    • Purge system restore
  • You can safely remove any tools and/or logs that may remain on your computer.


  • You should read and get acquainted with the following topic COMPUTER SECURITY - a short guide to staying safer online , which goes into depth on how to keep your computer secure.


    I would really appreciate it if you could reply to this post to let me know that you've seen it, so that I can ask for this topic to be closed.
    User avatar
    mAL_rEm018
    Admin/Teacher
    Admin/Teacher
     
    Posts: 2689
    Joined: November 11th, 2013, 6:26 pm
    Location: Saint-Petersburg, Russia
    Top

    Re: "Luckysearches" hijacking browser and other adware

    Unread postby TheDoctor46 » April 9th, 2015, 1:16 pm

    ran delfix, removed anything else left over.

    Many thanks for the help :)
    TheDoctor46
    Active Member
     
    Posts: 13
    Joined: March 30th, 2015, 1:36 pm

    Re: "Luckysearches" hijacking browser and other adware

    Unread postby mAL_rEm018 » April 9th, 2015, 1:44 pm

    TheDoctor46 wrote:Many thanks for the help :)

    My pleasure :)
    User avatar
    mAL_rEm018
    Admin/Teacher
    Admin/Teacher
     
    Posts: 2689
    Joined: November 11th, 2013, 6:26 pm
    Location: Saint-Petersburg, Russia

    Re: "Luckysearches" hijacking browser and other adware

    Unread postby Gary R » April 9th, 2015, 5:40 pm

    As your problems appear to have been resolved, this topic is now closed.

    We are pleased we could help you resolve your computer's malware issues.

    If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
    User avatar
    Gary R
    Administrator
    Administrator
     
    Posts: 25888
    Joined: June 28th, 2005, 11:36 am
    Location: Yorkshire
    Advertisement
    Register to Remove

    Previous

    Return to Infected? Virus, malware, adware, ransomware, oh my!



    Who is online

    Users browsing this forum: No registered users and 305 guests

    Contact us:

    Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

    Member site: UNITE Against Malware