Jim Gassner

CLOSED Is Handy Tab Malware?

Recommended Posts

This Chrome extension installed without my knowledge and defied many attempts to get rid of it. For one, it hijacked my image search tab. Reset Chrome, ran Emsisoft, M-Bam, and Superantispyware scans. M-BAM  showed PUPS and quarantined them but no other scans turned anything up. Restarted my computer and it appears to be gone. I am careful surfing so not sure where I got it. Have adware blockers but had to disable them for Weatherunderground, which is full of adds.  How do I permanently stop this from reappearing?

Thanks

Share this post


Link to post
Share on other sites

Make sure PUPs detection is enabled in EAM.  When downloading any software carefully  examine each step of the installation process before clicking next or OK.  Some third-party downloads are cleverly disguised as party of the normal installation process.

I would like to get a couple of logs to make sure that nothing is lingering on the system.

Download Farbar Recovery Scan Tool and save it to your desktop.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to your desktop.
For x64 (x64) bit systems download Farbar Recovery Scan Tool x64 and save it to your desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to the disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Share this post


Link to post
Share on other sites

Jim,

Your logs show no malware.  However, they do show several orphaned entries and a few minor issues that should be corrected.

Copy the below code to Notepad; Save As fixlist.txt to your Desktop.

HKLM\...\Run: [EFMER_TThrottle] => [X]
HKLM-x32\...\Run: [Launch PC Probe II] => [X]
HKLM-x32\...\Run: [DelaypluginInstall] => [X]
HKLM-x32\...\Run: [iSkysoft Helper Compact.exe] => [X]
HKLM\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKLM\...\Policies\Explorer: [NoResolveSearch] 1
HKLM\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
HKLM\...\Policies\Explorer: [NoInternetOpenWith] 1
HKU\S-1-5-21-1329560260-614657799-2511432615-1001\...\Policies\Explorer: [NoLowDiskSpaceChecks] 1
HKU\S-1-5-21-1329560260-614657799-2511432615-1001\...\Policies\Explorer: [NoResolveSearch] 1
HKU\S-1-5-21-1329560260-614657799-2511432615-1001\...\Policies\Explorer: [LinkResolveIgnoreLinkInfo] 1
BHO-x32: No Name -> {1A6B6AD0-2735-498F-834C-AFCEA37847C2} -> No File
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} -  No File
Handler: WSISAllmytubechrome - {4724F5AF-4E6D-41CA -  No File
U3 idsvc; no ImagePath
2016-02-24 02:06 - 2016-02-24 02:06 - 000001040 ___SH () C:\ProgramData\onLineUser.dat
2016-08-13 01:42 - 2016-08-13 01:42 - 000000022 ___SH () C:\Users\desktop\AppData\Roaming\0BF913075E33065.xrd
2016-11-28 00:15 - 2016-11-28 00:15 - 000000020 ___SH () C:\Users\desktop\AppData\Roaming\1816CA7466166.ind
2016-08-13 01:42 - 2016-08-13 01:42 - 000000022 ___SH () C:\Users\desktop\AppData\Roaming\App1755 Conf_DB.ind
2016-11-28 00:15 - 2016-11-28 00:15 - 000000020 ___SH () C:\Users\desktop\AppData\Roaming\Programs8187ConfigDB.dat
2016-01-09 13:30 - 2016-01-09 13:30 - 000000020 ___SH () C:\Users\desktop\AppData\Roaming\Sys11965 DataCollection.dat
2016-01-09 13:30 - 2016-01-09 13:30 - 000000020 ___SH () C:\Users\desktop\AppData\Roaming\System413_DataDB.ind
2016-06-22 21:23 - 2016-06-22 21:23 - 000000990 ___SH () C:\Users\desktop\AppData\Roaming\systemfl.$dk
2016-01-06 16:32 - 2017-12-23 14:21 - 000007597 _____ () C:\Users\desktop\AppData\Local\Resmon.ResmonCfg
ContextMenuHandlers1: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} =>  -> No File
ContextMenuHandlers1: [PDFArchitect4_ManagerExt] -> {3AECFCB3-8472-48E9-BC7B-5A3CD945C886} =>  -> No File
ContextMenuHandlers1: [UnLockerMenu] -> {410BF280-86EF-4E0F-8279-EC5848546AD3} =>  -> No File
ContextMenuHandlers2-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} =>  -> No File
ContextMenuHandlers4: [UnLockerMenu] -> {410BF280-86EF-4E0F-8279-EC5848546AD3} =>  -> No File
ContextMenuHandlers5: [Gadgets] -> {6B9228DA-9C15-419e-856C-19E768A13BDC} =>  -> No File
ContextMenuHandlers6-x32: [Glary Utilities] -> {B3C418F8-922B-4faf-915E-59BC14448CF7} =>  -> No File
ContextMenuHandlers6-x32: [UnLockerMenu] -> {410BF280-86EF-4E0F-8279-EC5848546AD3} =>  -> No File
Task: {0BB6A6E2-636E-457A-92E6-835DD1A8E695} - System32\Tasks\{68D4DD56-34F4-42BB-87FC-0515B228741C} => C:\WINDOWS\system32\pcalua.exe -a C:\Users\desktop\AppData\Local\Temp\Temp7_ProbeII_V10486.zip\ProbeII\Setup.exe <==== ATTENTION
Task: {1D0085D4-EF74-4ED7-89EC-4816C078DAF7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: {28BB03A2-F7FB-4677-BDC5-2C5EA9176FFC} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {36A8E94F-2FA4-4CC9-84AA-9DCE925FB79B} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {5013CE01-8895-40F7-8206-88FD58FC455F} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeReminderTime -> No File <==== ATTENTION
Task: {531B58A6-4438-4147-9DC6-CF70650D0107} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {75120001-F386-4546-ABC4-8B43F5773154} - \Microsoft\Windows\Setup\GWXTriggers\ScheduleUpgradeTime -> No File <==== ATTENTION
Task: {FFE48173-1CA3-42B7-853B-0A8B6C76B109} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION

Close Notepad.

NOTE: It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 and press the Fix button just once and wait.

If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

Note: If the tool warns you about an outdated version please download and run the updated version.

Share this post


Link to post
Share on other sites

EAM will prevent certain changes to the registry by third-party software.  When FRST makes the kind of changes that EAM monitors then it will alert on those.

Run a fresh scan with FRST, attach the new FRST scan reports to your reply.

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Lack of Response

PM either Kevin, Elise, or Arthur to have this thread reopened.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites

Jim,

I have merged you two support threads.

The EAM screenshot you sent shows some adware.  I would like for you to run a tool that targets Adware and Junkware in general.

Please download AdwCleaner and save it on your desktop.

  1. Close all open programs and Internet browsers (you may want to print out or write down these instructions first).
  2. Double click on the AdwCleaner icon to run it.
  3. You will need to accept the license agreement from Malwarebytes in order to continue.
  4. Click on the Scan button in the lower-left.
  5. When the scan is done, a log will open in Notepad. You can close this Notepad window before continuing.
  6. If something was found on your computer, then click on the Clean button in the lower-left (where the "Scan" button was earlier).
  7. AdwCleaner will warn you that it will close all running processes (programs). Click OK to continue when ready.
  8. After the cleaning process is done, you will be prompted to restart your computer. Please click Reboot now when ready to restart your computer.
  9. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your desktop.
  10. Please attach that log file to a reply for me to review.
  11. If you lose that log file for any reason, you can find it at C:\AdwCleaner[C0] on your computer.

Share this post


Link to post
Share on other sites

AdwCleaner found nothing.

Changing tools.

Download RogueKiller from https://www.fosshub.com/RogueKiller.html and save it to your desktop.

• Double-click on setup.exe to install RogueKiller.

Close all programs and disconnect any USB or external drives before running the tool.

• Right-click RogueKiller.exe and select Run As Administrator to run the tool.
• Once the Prescan has finished, click Scan.
• Once the Status box shows "Scan Finished", click on the "Report" button and attach the scan log to your reply.

Share this post


Link to post
Share on other sites

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:

Download Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Also place a checkmark next to:
    • Create registry backup
    • Purge system restore
  • Click the Run button.

When the tool is finished, a log will open in notepad. I do not need the log. You can close Notepad.

Empty the Recycle Bin

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

To Remove EEK simple delete the EEK for in the of your System Drive, normally C:\EEK

Run Windows Update and update your Windows Operating System.

Articles to Read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
How Did I Get Infected?

That should take care of everything.

Safe Surfing!

Share this post


Link to post
Share on other sites

Thread Closed

Reason: Resolved

The procedures contained in this thread are for this user and this user only.  Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair.  Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.