Several redirecting malwares

[ExaBast]

Hello and thanks for the help,

Recently I've had encounters with many malwares on my browser, I've been able to get the names of some of them but I'm not sure if it's all of them. One of them is an extension I can't uninstall called "Cookies on-off", another is just redirecting me to Yahoo randomly, I get ads in my google searches,  for example if i search : "why am i getting ads" I'll have links like : "why am i getting ads buy on XXXXX" and my homepage is changed to something I've never heard before and sadly don't remember. I'm running Windows 7 64bits if that can help!

I forgot to mention that my OS is in french, so my logs are in french aswell, sorry about that...

Here are my logs :


# AdwCleaner v6.047 - Rapport créé le 03/07/2017 à 16:13:05
# Mis à jour le 19/05/2017 par Malwarebytes
# Base de données : 2017-06-29.3 [Serveur]
# Système d'exploitation : Windows 7 Home Premium Service Pack 1 (X64)
# Nom d'utilisateur : Admin - ADMIN-PC
# Exécuté depuis : C:\Users\Admin\Desktop\adwcleaner_6.047.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support



***** [ Services ] *****

Service trouvé:  Update service


***** [ Dossiers ] *****

Dossier trouvé:  C:\Users\Admin\AppData\Local\DriverToolkit
Dossier trouvé:  C:\Users\Admin\AppData\Roaming\IObit\Advanced SystemCare
Dossier trouvé:  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\ByteFence
Dossier trouvé:  C:\ProgramData\IObit\ASCDownloader
Dossier trouvé:  C:\ProgramData\Application Data\IObit\ASCDownloader
Dossier trouvé:  C:\Program Files (x86)\DriverToolkit
Dossier trouvé:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Extensions\pilplloabdedfmialnfchjomjmpjcoej
Dossier trouvé:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dceidjjhomnclmfgflmjaomohekdgdgb


***** [ Fichiers ] *****

Fichier trouvé:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Local Storage\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage
Fichier trouvé:  C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_dceidjjhomnclmfgflmjaomohekdgdgb_0.localstorage


***** [ DLL ] *****

Aucune DLL patchée trouvée.


***** [ WMI ] *****

Aucune clé malveillante trouvée.


***** [ Raccourcis ] *****

Aucun raccourci infecté trouvé.


***** [ Tâches planifiées ] *****

Tâche trouvée:  Driver Booster Scheduler


***** [ Registre ] *****

Clé trouvée:  HKLM\SOFTWARE\Classes\CLSID\{E4ADC61E-D06A-4E0E-8582-78C809CC8450}
Clé trouvée:  HKLM\SOFTWARE\Classes\TypeLib\{EB2BEAEF-150C-4DE4-9D09-F16403C22769}
Clé trouvée:  HKU\S-1-5-21-2015994361-3734334988-1783566280-1000\Software\DriverToolkit
Clé trouvée:  HKU\S-1-5-21-2015994361-3734334988-1783566280-1000\Software\PRODUCTSETUP
Clé trouvée:  HKCU\Software\DriverToolkit
Clé trouvée:  HKCU\Software\PRODUCTSETUP
Clé trouvée:  [x64] HKCU\Software\DriverToolkit
Clé trouvée:  [x64] HKCU\Software\PRODUCTSETUP
Valeur trouvée:  HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION [ByteFence.exe]
Clé trouvée:  HKLM\SOFTWARE\Google\Chrome\Extensions\iinglghmhcgdgjjlafobajghjamdchik


***** [ Navigateurs web ] *****

Aucune préférence Firefox malveillante trouvée.
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - dceidjjhomnclmfgflmjaomohekdgdgb
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - iinglghmhcgdgjjlafobajghjamdchik
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences ] - pilplloabdedfmialnfchjomjmpjcoej
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] - vosteran.com
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences ] - aaaaajhmeplfccacopbgpfaibalfnhcb
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences ] - oilkkkefbalmbfppgjmgjoefbclebkce
Chromium préf trouvée:  [C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 1\Secure Preferences ] - pilplloabdedfmialnfchjomjmpjcoej

[!] You may need to disable the Chrome synchronization from your Google account in order to fully remove the malicious preferences. Please consult this Google help: https://support.google.com/chrome/answer/3097271?hl=en [!]


*************************

C:\AdwCleaner\AdwCleaner[S0].txt - [3905 octets] - [03/07/2017 16:13:05]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3979 octets] ##########






Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'analyse: 03/07/2017
Heure de l'analyse: 16:19
Fichier journal: malwarebytes.txt
Administrateur: Oui

-Informations du logiciel-
Version: 3.1.2.1733
Version de composants: 1.0.160
Version de pack de mise à jour: 1.0.2284
Licence: Essai

-Informations système-
Système d'exploitation: Windows 7 Service Pack 1
Processeur: x64
Système de fichiers: NTFS
Utilisateur: Admin-PC\Admin

-Résumé de l'analyse-
Type d'analyse: Analyse rapide
Résultat: Terminé
Objets analysés: 2286
Menaces détectées: 0
(Aucun élément malveillant détecté)
Menaces mises en quarantaine: 0
(Aucun élément malveillant détecté)
Temps écoulé: 0 min, 36 s

-Options d'analyse-
Mémoire: Activé
Démarrage: Désactivé
Système de fichiers: Désactivé
Archives: Activé
Rootkits: Désactivé
Heuristique: Désactivé
PUP: Activé
PUM: Activé

-Détails de l'analyse-
Processus: 0
(Aucun élément malveillant détecté)

Module: 0
(Aucun élément malveillant détecté)

Clé du registre: 0
(Aucun élément malveillant détecté)

Valeur du registre: 0
(Aucun élément malveillant détecté)

Données du registre: 0
(Aucun élément malveillant détecté)

Flux de données: 0
(Aucun élément malveillant détecté)

Dossier: 0
(Aucun élément malveillant détecté)

Fichier: 0
(Aucun élément malveillant détecté)

Secteur physique: 0
(Aucun élément malveillant détecté)


(end)





 Results of screen317's Security Check version 1.014 --- 12/23/15 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
Avast Antivirus   
Malwarebytes     
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Java 8 Update 111 
 Java 8 Update 131 
 Java version 32-bit out of Date!
 Adobe Reader XI 
 Google Chrome (59.0.3071.115)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamtray.exe 
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast AvastUI.exe 
 AVAST Software Avast x64 aswidsagenta.exe
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C: =
````````````````````End of Log``````````````````````[/u]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

I forgot to mention that my OS is in french, so my logs are in french aswell, sorry about that...

Not a problem. I'm quite good at reading French. I speak just enough french to get my face slapped.lol.

Please run AdwCleaner again and click on the clean button.
*********************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
**********************************************************
Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

[ExaBast]

Hi Dave and thanks for helping me out, you told me to run AdwCleaner again, I saved the log so tell me if you need it. I've looked at my extensions on Chrome and the "Cookies on-off" thing is gone. The JavaRa link you gave me isn't existing anymore and I don't want to download the wrong thing and screw my PC up. Anyways, here's the JRT log:



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.3 (04.10.2017)
Operating System: Windows 7 Home Premium x64
Ran by Admin (Administrator) on 03.07.2017 at 23:08:18.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 13

Successfully deleted: C:\ProgramData\productdata (Folder)
Successfully deleted: C:\Users\Admin\AppData\Local\ggempire (Folder)
Successfully deleted: C:\Users\Admin\AppData\Local\worldoftanks (Folder)
Successfully deleted: C:\Users\Admin\Documents\add-in express (Folder)
Successfully deleted: C:\Windows\system32\Tasks\Driver Booster SkipUAC (Admin) (Task)
Successfully deleted: C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40S7JUVZ (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJYPR2Q1 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G4ULGM2F (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4MSSALH (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\40S7JUVZ (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BJYPR2Q1 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\G4ULGM2F (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4MSSALH (Temporary Internet Files Folder)



Registry: 3

Successfully deleted: HKCU\Software\Google\Chrome\Extensions\ooebgdicanjhnamfmdlmlbcnkgehkkmf (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)
Successfully deleted: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 03.07.2017 at 23:09:37.37
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[SuperDave]

Ok. Go to Control Panel and update your Java.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[ExaBast]

Updated Java, and ran the ESET scan, unfortunatly there is no log for it, all I can tell you is that out of about 200k files there were no threats found

[SuperDave]

Please give me an update on your computer.

[ExaBast]

It looks like the symptoms are gone, looks clean ! Thanks a lot !

[SuperDave]

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
***************************************
This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create Registry backup
• Purge System Restore Points
• Re-set system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.
********************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[ExaBast]

Did all that, my C drive is still quite loaded but that's my fault, I put games on it when I first got my PC. If we're done cleaning up you can close the post.

I'm thanking you a lot over the internet !

[SuperDave]

You're welcome. I will lock this thread. If you need it re-opened, please send me a pm.