Documentos de Académico
Documentos de Profesional
Documentos de Cultura
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
BuyNSavekeepscomingback.
Startedbyexor15,Nov24201407:53PM
Posted24November201407:53PM
exor15
IhaveadwareonmycomputercalledBuyNSave.I'vetrieddeletingtheextensioninmybrowsers,uninstallingthe
programincontrolpanel,deletingthehiddensystemfiles,endingallrelatedprogramsandprocesseswithtask
manager,deletingrelatedfilesintheregistryandIranadwarecleanerandMalwarebytesandBuyNSaveisstillonmy
system.Anytips?
Posted24November201407:58PM
exor15
AttachedherearethefilesfromFarbarRecoveryScanTool.
AttachedFiles
(https://forums.malwarebytes.org/index.php?app=core&module=attach§ion=attach&attach_id=155992)
Addition.txt(https://forums.malwarebytes.org/index.php?
app=core&module=attach§ion=attach&attach_id=155992)35.74KB39downloads
(https://forums.malwarebytes.org/index.php?app=core&module=attach§ion=attach&attach_id=155993)
FRST.txt(https://forums.malwarebytes.org/index.php?
app=core&module=attach§ion=attach&attach_id=155993)58.06KB20downloads
Posted25November201402:17AM
TwinHeadedEagle
Hello,
TheycallmeTwinHeadedEaglearoundhere,andI'llbeworkingwithyou.
Beforewestartpleasereadandnotethefollowing:
Limityourinternetaccesstopostinghere,someinfectionsjustwaittostealtypedinpasswords.
Pleasebepatient.IknowitisfrustratingwhenyourPCisn'tworkingproperly,butmalwareremovaltakes
time.
Don'trunanyscriptsortoolsonyourown,unsupervisedusagemaycausemoreharmthangood.
Donotpastethelogsinyourposts,attachmentsmakemyworkeasier.ThereisaMorereplyoptionsbutton,
thatgivesyouUploadFilesoptionbelowwhichyoucanusetoattachyourreports.Alwaysattachreports
fromalltools.
Alwaysexecutemyinstructionsingivenorder.Ifforsomereasonyoucannotcompletelyfollowone
instruction,informmeaboutthat.
Staywithmetotheend,theabsenceofsymptomsdoesn'tmeanthatyourmachineisfullyoperational.
Notethatwemayliveintotallydifferenttimezones,whatmaycausesomedelaysbetweenanswers.
DonotaskforhelpforyourbusinessPC.Companiesaremakingrevenueviacomputers,soitisgoodthingto
paysomeonetorepairit.
IfIdon'thearfromyouwithin3daysfromthisinitialoranysubsequentpost,thenthisthreadwillbeclosed.
Ican'tforeseeeverything,soifanythingunexpectedhappens,pleasestopandinformme!
Therearenosillyquestions.Neverbeafraidtoaskifindoubt!
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
1/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
Rulesandpolicies
Wewon'tsupportanypiracy.
Thatbeingtold,ifanyevidenceofillegalOS,software,cracks/keygensoranyotherwillberevealed,anyfurther
assistancewillbesuspended.Ifyouareawarethatthereisthiskindofstuffonyourmachine,removeitbefore
proceeding!
ThesameappliestoanyuseofP2Psoftware:uTorrent,BitTorrent,Vuze,Kazaa,Ares...Wedon'tprovideanyhelp
forP2P,exceptfortheirremoval.AllP2Psoftwarehastobeuninstalledoratleastfullydisabledbeforeproceeding!
Failuretofollowtheseguidelineswillresultwithclosingyourtopicandwithdrawningany
assistance.
ScanwithZOEK
PleasedownloadZOEK(http://hijackthis.nl/smeenk/)bySmeenkandsaveittoyourdesktop(preferredversionis
the*.exeone)
TemporarydisableyourAntiVirusandAntiSpywareprotectioninstructionshere
(http://www.bleepingcomputer.com/forums/topic114351.html).
createsrpoint
autoclean
emptyalltemp
ipconfig/flushdnsb
Rightclickon
iconandselect RunasAdministratortostartthetool.
Waitpatientlyuntilthemainconsolewillappear,itmaytakeaminuteortwo.
Inthemainboxpleasepasteinthefollowingscript:
MakesurethatScanAllUsersoptionischecked.
PushRunScriptandwaitpatiently.Thescanmaytakeacoupleofminutes.
Whenthescancompletes,azoekresultslogfileshouldopeninnotepad.
Ifarebootisneeded,itwillbeopenedafterit.Youmayalsofinditatyourmaindrive(usuallyC:\drive)
Postitscontentintoyournextreply.
Posted25November201411:25AM
exor15
HereisthecontentsoftheZoekresultsfile:
Zoek.exev5.0.0.0Updated24112014
ToolrunbyBradleyonTue11/25/2014at9:59:01.36.
MicrosoftWindows8.16.3.9600x64
Runningin:NormalModeInternetAccessDetected
Launched:C:\Users\Bradley.Steve\Desktop\zoek.exe[Scanallusers][Scriptinserted]
====SystemRestoreInfo======================
11/25/201410:01:33AMZoek.exeSystemRestorePointCreatedSuccesfully.
====EmptyFoldersCheck======================
C:\PROGRA~2\AGEIATechnologiesdeletedsuccessfully
C:\ProgramFiles\Symantecdeletedsuccessfully
C:\PROGRA~3\Validitydeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Roaming\UpdaterEXdeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Conduitdeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\CREdeletedsuccessfully
====DeletingCLSIDRegistryKeys======================
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
2/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
====DeletingCLSIDRegistryValues======================
====DeletingServices======================
====BatchCommand(s)RunByTool======================
====DeletingFiles\Folders======================
C:\PROGRA~3\anedobhlebhmncaighndllippdfnfnffdeleted
C:\Users\Bradley.Steve\AppData\LocalLow\Conduitdeleted
C:\PROGRA~2\Wondersharedeleted
C:\PROGRA~2\COMMON~1\Wondersharedeleted
C:\Users\Bradley.Steve\AppData\Roaming\WB.CFGdeleted
C:\PROGRA~3\PackageCachedeleted
C:\Users\Bradley.Steve\AppData\Local\Astromendadeleted
C:\Users\Bradley.Steve\AppData\Local\Wondersharedeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\ShoppingandServicesdeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Wondersharedeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Search.lnkdeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\McAfeeSecurityScanPlus.lnkdeleted
C:\WINDOWS\SysNative\config\systemprofile\Searchesdeleted
C:\windows\SysNative\GroupPolicy\Userdeleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.inideleted
====FirefoxExtensionsRegistry======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{2D3F365174B94795BDEC6DA2F431CB62}"="C:\ProgramData\Norton\{0C55C0960F1D4F28AAA2
85EF591126E7}\NIS_20.0.0.136\coFFPlgn"[11/24/201403:00PM]
====FakeChromiumProfilesCheck======================
FakeprofileC:\Users\Bradley.Steve\AppData\Local\Google\ChromeSxSdeleted
====ChromiumLook======================
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bejnhdlplbjhffionohbdnpcbobfejccC:\ProgramFiles(x86)\NortonInternet
Security\Engine\20.5.0.28\Exts\Chrome.crx[04/29/201406:31AM]
kanflfepiobnpjbljmngfgegijhdpljmC:\ProgramFiles(x86)\HPSimplePass\tschrome.crx[04/01/201301:25AM]
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
apdfllckaahabafndbhieahigkjlhalf
C:\Users\Bradley.Steve\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx[04/14/2014
07:19PM]
GoogleVoiceSearchHotword(Beta)Bradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
WebsiteLogonBradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm
RedditEnhancementSuiteBradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb
WebsiteLogonBradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm
MixiDJV31Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\nmaikkamgfhkjbadgihldfmkpngkhgbb
GoogleVoiceSearchHotword(Beta)BRADLE~1.STE\AppData\Local\Google\Chrome\User
Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
WebsiteLogonBRADLE~1.STE\AppData\Local\Google\Chrome\User
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
3/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm
RedditEnhancementSuiteBRADLE~1.STE\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb
WebsiteLogonBRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm
MixiDJV31BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\nmaikkamgfhkjbadgihldfmkpngkhgbb
====ChromiumStartpages======================
C:\Users\Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Preferences
"homepage":"http://www.google.com/",(http://www.google.com/)
C:\Users\BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Preferences
"homepage":"http://www.google.com/",(http://www.google.com/)
====ChromiumFix======================
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\http_www.azlyrics.com_0.localstoragedeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\http_www.azlyrics.com_0.localstoragejournaldeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\https_www.superfish.com_0.localstoragedeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\http_www.superfish.com_0.localstoragedeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\https_services.tamu.edu_0.localstoragedeletedsuccessfully
====SetIEtoDefault======================
OldValues:
[HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main]
"StartPage"="http://www.google.com"(http://www.google.com)
NewValues:
[HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main]
"StartPage"="http://www.google.com"(http://www.google.com)
====AllHKCUSearchScopes======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\InternetExplorer\SearchScopes
"DefaultScope"="{0633EE93D776472fA0FFE1416B8B2E3A}"
{012E1000F33111DB83140800200C9A66}GoogleUrl="http://www.google.co...={searchTerms}"
(http://www.google.com/search?q=%7BsearchTerms%7D)
{0633EE93D776472fA0FFE1416B8B2E3A}BingUrl="http://www.bing.com/...ox&FORM=IESR02"
(http://www.bing.com/search?q=%7BsearchTerms%7D&src=IESearchBox&FORM=IESR02)
====DeletingRegistryKeys======================
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Googledeletedsuccessfully
====EmptyIECache======================
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet
Files\Content.IE5emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Content.IE5emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5emptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Content.IE5emptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5emptiedsuccessfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\IEemptiedsuccessfully
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
4/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Low\IEemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\IEemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Low\IEemptiedsuccessfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IEemptied
successfully
====EmptyFireFoxCache======================
NoFireFoxProfilesfound
====EmptyChromeCache======================
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Cacheemptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Cacheemptied
successfully
C:\Users\BRADLE~1.STE\AppData\Local\Google\Chrome\UserData\Default\Cacheemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Cacheemptied
successfully
====EmptyAllFlashCache======================
FlashCacheEmptiedSuccessfully
====EmptyAllJavaCache======================
JavaCacheclearedsuccessfully
====C:\zoek_backupcontent======================
C:\zoek_backup(files=1117folders=152264532368bytes)
====EmptyTempFolders======================
C:\Users\Bradley.Steve\AppData\Local\Tempwillbeemptiedatreboot
C:\Users\Default\AppData\Local\Tempemptiedsuccessfully
C:\Users\DefaultUser\AppData\Local\Tempemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Tempwillbeemptiedatreboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Tempemptiedsuccessfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Tempemptiedsuccessfully
C:\WINDOWS\Tempwillbeemptiedatreboot
====AfterReboot======================
====EmptyTempFolders======================
C:\WINDOWS\Tempsuccessfullyemptied
C:\Users\BRADLE~1.STE\AppData\Local\Tempsuccessfullyemptied
====EmptyRecycleBin======================
C:\$RECYCLE.BINsuccessfullyemptied
====EOFonTue11/25/2014at10:15:12.10======================
Posted25November201412:08PM
TwinHeadedEagle
Verygood.Anyprogress?
ScanwithFarbarRecoveryScanTool
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
5/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
PleasererunFarbarRecoveryScanTooltogivemeafreshlookatyoursystem.
Rightclickon
iconandselect RunasAdministratortostartthetool.
(XPusersclickrunafterreceiptofWindowsSecurityWarningOpenFile).
MakesurethatAdditionoptionischecked.
PressScanbuttonandwait.
Thetoolwillproducetwologfilesonyourdesktop:FRST.txtandAddition.txt.
Pleaseincludetheircontentintoyournextreply.
Posted25November201404:58PM
exor15
Theextensionappearstohavenotcomeback,butIranFarbaragainsohere'sthelogs.
AttachedFiles
(https://forums.malwarebytes.org/index.php?app=core&module=attach§ion=attach&attach_id=156126)
Addition.txt(https://forums.malwarebytes.org/index.php?
app=core&module=attach§ion=attach&attach_id=156126)37.81KB5downloads
(https://forums.malwarebytes.org/index.php?app=core&module=attach§ion=attach&attach_id=156127)
FRST.txt(https://forums.malwarebytes.org/index.php?
app=core&module=attach§ion=attach&attach_id=156127)57.7KB7downloads
Posted25November201405:16PM
TwinHeadedEagle
Good.LastthingtodoistoreinstallGoogleChrome.Tellmeiseverythingfinenow,sowecanfinish?
Posted25November201405:21PM
exor15
Everythinglooksgood!Thanksman,appreciateit!
Posted25November201407:42PM
TwinHeadedEagle
GladIcouldhelp.WewilldeleteallusedtoolsandI'llgiveyousometipstohardenyoursecurityandlearnhowto
protectyourself
Recommendedreading:
MUSTREADsecuritytips:
ComputerSecurityashortguidetostayingsaferonline.
(http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960)
SimpleandeasywaystokeepyourcomputersafeandsecureontheInternet
(http://www.bleepingcomputer.com/tutorials/keepyourcomputersafeonline/)
MUSTREADgeneralmaintenance:
WhattodoifyourComputerisrunningslowly?
(http://www.malwareremoval.com/tutorials/runningslowly.php)
TheImportanceofSoftwareUpdating:
Inordertostayprotecteditisveryimportantthatyouregularlyupdateallofyoursoftware.Cybercriminals
dependontheapathyofusersaroundsoftwareupdatestokeeptheirmaliciousendeavorrunning.
Operatingsystems,suchasWindows,andapplications,suchasAdobeReaderorJAVA,areusedbytensofmillionsof
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
6/7
11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
computersanddevicesaroundtheworld,makingthemahugetargetforcybercriminals.Downloadingupdatesand
installingthemcansometimesbetedious,buttheadvantagesyougetfromtheupdatesarecertainlyworthit.
HowtoconfigureanduseAutomaticUpdatesinWindows(http://support.microsoft.com/kb/306525)
HowtoupdateJava(http://www.hamilton.edu/its/rc/howtoinstalljavawindowsxpvista78)
HowtoupdateAdobeReader(http://www.ehow.com/how_5233161_upgradeadobereader.html)
Recommendedadditionalsoftware:
TFC(http://www.geekstogo.com/forum/files/file/187tfctempfilecleanerbyoldtimer/)tocleanunneeded
temporaryfiles.
Malwarebytes'AntiMalware(http://www.malwarebytes.org/)toscanyoursystemfromtimetotimein
searchformalware.
Malwarebytes'AntiExploit(https://www.malwarebytes.org/antiexploit/)topreventplentyofmostly
exploitedvulnerabilities.
McShield(http://www.mcshield.net/)topreventinfectionsspreadbyremovablemedia.
Unchecky(http://unchecky.com/)topreventfrominstallingadditionalfoistware,implementedinlegitimate
installations.
FiheHippo.comUpdateChecker(http://filehippo.com/updatechecker)tokeepyourprogramsuptodate.
Adblock(https://adblockplus.org/en/chrome)tosurfthewebwithoutannoyingads!
Postcleanupprocedures:
DownloadDelFix(http://generalchangelogteam.fr/fr/downloads/finish/20outilsdexplode/9delfix)byXplode
andsaveittoyourdesktop.
Runthetoolbyrightclickonthe
iconandRunasadministratoroption.
Makesurethattheseonesarechecked:
Removedisinfectiontools
Purgesystemrestore
Resetsystemsettings
PushRun.
Theprogramwillrunforafewsecondsanddisplayanotepadreport.Youdonotneedtoattachit.
ThetoolwillalsorecordhealthystateofregistryandmakeabackupusingERUNTprogramin%windir%\ERUNT\DelFix
Tooldeletesoldsystemrestorepointsandcreateafreshsystemrestorepointaftercleaning.
Myhelpisfreeforeverybody.
Ifyou'rehappywiththehelpprovidedand/orwishtobuymeabeerfortheassistanceyoureceived,thenyoucan
consideradonation:
(http://goo.gl/XIT114)
Thankyou!
Staysafe,
TwinHeadedEagle
BacktoMalwareRemovalHelp
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
7/7