Removing SmartComp Safe Network/GetPrivate virus

Solved/Closed
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016 - Nov 26, 2015 at 01:52 PM
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016 - Dec 21, 2015 at 06:37 PM
Hello, I recently downloaded malware/adware from piratebay and my anti-virus detected harmful objects which seemed to lead to a suspicious folder called "SmartComp Safe Network". I did some research on this suspicious folder and it seems that other people are having problems deleting this same folder/malware. There was some suggestions on how to fix it but they were all too confusing for someone who's not good with this kind of stuff. With the malware in my computer, I've been getting ads from "GetPrivate" on everything I click and big bolded blue words on websites on google chrome. I've been able to remove it temporarily with malwarebytes but after a day or two it comes back.
Related:

11 responses

Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Nov 27, 2015 at 04:57 PM
Hello again,

This is a dandy. If you really give a virustotal scan to everything you download and install, it surely did not work for you. There are 50 malware infecting your computer as well as 14 useless files.

Shall we get rid of them? I assume your answer is yes.

Here is what I wish you do. If I ask you to delete some programs files, don't be alarmed as they really do contain malware.

Step one:

Through the add/remove program utility, remove the following:

Skillbrains

Step two

1. Close all applications

2. Go to this URL

https://nicolascoolman.eu

and download zhpfix

3. Select and copy the following bold lines:

(For any other user reading this thread, the following lines cannot be used by you, they are customized for Ezpz)

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
O42 - Logiciel: Lightshot-5.3.0.0 - (.Skillbrains.) [HKLM][64Bits] -- {30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SOFTWARE\Wow6432Node\NpApp
HKLM\SOFTWARE\Wow6432Node\SecureWeb
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
HKLM\SOFTWARE\Wow6432Node\Skillbrains
HKLM\SOFTWARE\Wow6432Node\Systweak
HKLM\SOFTWARE\Wow6432Node\YourFileDownloader
HKCU\SOFTWARE\Skillbrains
O23 - Service: Privoxy (PrivoxyService) (PrivoxyService) . (...) - C:\Program Files (x86)\SmartComp Safe Network\privoxy.exe (.not file.)
[MD5.59F07211D52D191E465A2915EF448E0D] [APT] [Better Installer] (...) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-S-1-5-21-863551351-428171438-3677390635-1004] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
[MD5.70D6EA378844CC762C57FA4B8AC63764] [APT] [update-sys] (.Copyright 2009.) -- C:\Program Files (x86)\Skillbrains\Updater\Updater.exe [105728]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job [408]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\Tasks\update-sys.job [408]
O39 - APT: Better Installer - (...) -- C:\WINDOWS\System32\Tasks\Better Installer [3430]
O39 - APT: update-S-1-5-21-863551351-428171438-3677390635-1004 - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004 [3394]
O39 - APT: update-sys - (.Copyright 2009.) -- C:\WINDOWS\System32\Tasks\update-sys [3388]
[MD5.0B42873501A576FF6CDE35EA69EE930A] - (.Skillbrains - Lightshot.) -- C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe [477184] [PID.3996]
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 14/03/2015 - [] D -- C:\Program Files (x86)\Skillbrains
3 - CFD: 10/08/2014 - [0] D -- C:\Program Files (x86)\TowerTilt
3 - CFD: 20/11/2015 - [] D -- C:\Users\Bears\AppData\Roaming\Better Installer
3 - CFD: 31/01/2015 - [0] D -- C:\Users\Bears\AppData\Roaming\IHlpr
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.1B53EA087318112317CEB4BD8B24DC64] 20/11/2015 A -- C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
O45 - LFCP:[MD5.72B0018C7106214CEA435A83D3761750] 26/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
O61 - LFC: 2015/11/20 17:37:57 A . (..) -- C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe [495616]
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{30A5B3C9-2084-4063-A32A-628A98DE512B}_is1
HKLM\SYSTEM\CurrentControlSet\Services\PrivoxyService
C:\Users\Bears\AppData\Roaming\Better Installer\Better Installer.exe
C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
C:\WINDOWS\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004.job
C:\WINDOWS\Tasks\update-sys.job
C:\WINDOWS\System32\Tasks\Better Installer
C:\WINDOWS\System32\Tasks\update-S-1-5-21-863551351-428171438-3677390635-1004
C:\WINDOWS\System32\Tasks\update-sys
C:\Program Files (x86)\Skillbrains\lightshot\5.3.0.0\Lightshot.exe
C:\Program Files (x86)\Skillbrains
C:\Program Files (x86)\TowerTilt
C:\Users\Bears\AppData\Roaming\Better Installer
C:\Users\Bears\AppData\Roaming\IHlpr
C:\WINDOWS\Prefetch\BETTER INSTALLER.EXE-096AC1ED.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf

P2 - EXT FILE: (...) -- C:\Users\Bears\AppData\Roaming\Mozilla\Firefox\Profiles\7udurnxy.default\searchplugins\avg-secure-search.xml
O42 - Logiciel: Akamai NetSession Interface - (.Akamai Technologies, Inc.) [HKCU][64Bits] -- Akamai
HKCU\SOFTWARE\Akamai
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.1892] ©
[MD5.F2AD1B265908797F8A5E21E0312F2F25] - (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe [4691384] [PID.10052] ©
O4 - HKCU\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O4 - HKUS\S-1-5-21-863551351-428171438-3677390635-1004\..\Run: [Akamai NetSession Interface] . (.Akamai Technologies, Inc. - Akamai NetSession Client.) -- C:\Users\Bears\AppData\Local\Akamai\netsession_win.exe ©
O43 - CFD: 26/09/2015 - [0] D -- C:\ProgramData\Reprise
O43 - CFD: 14/11/2015 - [] D -- C:\Users\Bears\AppData\Local\Akamai
O87 - FAEL: "UDP Query User{527DD5B6-1909-4540-8296-DA363FA9041C}C:\games\counter-strike global offensive\csgo.exe" [In-None-P17-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "TCP Query User{E91211BC-87F5-4084-A72D-E56460E940B7}C:\games\counter-strike global offensive\csgo.exe" [In-None-P6-TRUE] .(...) -- C:\games\counter-strike global offensive\csgo.exe (.not file.)
O87 - FAEL: "{4A93956D-7C85-40A0-A101-CE4F9D282F5E}" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "{1DA55B90-969F-49AA-9D39-C35C40D7A07A}" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "UDP Query User{ED0760EB-A3B9-4104-829D-66C50FCFF4A8}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P17-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)
O87 - FAEL: "TCP Query User{1FB8229F-67CD-4261-AD9E-EDF540CBFA3F}C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe" [In-None-P6-TRUE] .(...) -- C:\riot games\league of legends\rads\projects\lol_patcher\releases\0.0.0.14\deploy\lolpatcherux.exe (.not file.)


4. Launch ZHP Fix and click on "Import" the lines you copied will get pasted.

5. Click on Go. A report will be generated which you can post here.

Good luck and let me know
2
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 06:02 PM
By the add/remove program utility, do you mean remove the program in Programs and Features or do you mean remove the file "Skillbrains" in Program Files(x86)?
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 06:12 PM
Programs and Features ! Yes ! If you have Win 10, click left on it to highlight and choose uninstall and click right. Your machine will already feel some stomach relief.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 06:28 PM
I do not see a "Skillbrains" program in Program and Features, unless you're referring to the program "Lightshot - 5.3.0.0" by the publisher "Skillbrains".
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 28, 2015 at 05:41 AM
Okay, go ahead with ZHP Fix
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 28, 2015 at 03:28 PM
Okay, here's the report log:
http://speedy.sh/TKJzG/ZHPFixReport.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Nov 26, 2015 at 04:17 PM
To help you and prescribe the remedy, I must make a diagnostic and to do so, I require a report.

1. Open this link and download ZHPDiag3 :
https://nicolascoolman.eu
(Don't be alarmed is the site is in French, it sometimes happens, the tool will take your system language and allow the download if you get a warning message, ignore it.) Click on the download button

2. Save the file on your Desktop.

3. Double click on ZHPDiag.exe and follow the installation instructions.

(For Vista, Win 7 and 8 users, click right to ensure you execute with admin right)

4. Double click on the short cut ZHPDiag on your Destktop.

5. Click on Full.

Wait for the tool to finished (maybe a long time)

6. Close ZHPDiag.

7. To transmit the report, click on this link :

https://authentification.site

8. Search the directory where you installed ZHPDiag (usually C:\desktop\zhpdiag.txt).
9. Copy the url link obtained from Speedyshare and paste it here in your reply.

Ambucias
Moderator and Virus/Security Contributor
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 26, 2015 at 06:57 PM
Hi, I downloaded ZHPDiag3.exe from the link you provided, and I scanned the file on virustotal like I do with every file/program I download on the internet. And I noticed that it detected 5/55. Should I ignore that and install or is it something I need to worry about?
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 04:19 AM
ZHP Diag, I use all the time and also hundreds of v/s experts, it's 100% safe.

Please, follow exactly the instructions I have given you about ZHP Diag.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 03:11 PM
Here is the zhpdiag.txt link:
http://speedy.sh/BJBy5/ZHPDiag.txt
At the moment, the virus has not downloaded back onto my computer.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 27, 2015 at 04:13 PM
Thanks for the log

The is the potential for it to return.

I will get to you with the medicinal compound very soon, just stand-by.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Nov 28, 2015 at 04:46 PM
On ZHP Fix, After "go" did you validate the message asking you to confirm the removal or clean up?

If not, please repeat the ZHP Fix
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 28, 2015 at 05:43 PM
It did ask me to confirm the uninstall of lightshot and Akamai NetSession Interface but I don't think I remember it asking me to confirm the removal.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 28, 2015 at 05:53 PM
Please repeat ZHP Fix and, after go, confirm everything that ZHP Fix asks for

Thank you
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 28, 2015 at 05:56 PM
Okay, I remembered that I did confirm the removal but I did repeat the ZHP Fix anyways.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 29, 2015 at 04:55 AM
can I see the report ?
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 29, 2015 at 12:18 PM
http://speedy.sh/cUpFT/ZHPFix-R2.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Nov 29, 2015 at 04:36 PM
Hello and thank you for the report!

Everything looks honky dory and your system is as clean as a whistle.

Your antivirus is Kaspersky, along with F-Secure they are the most efficient on the market but no antivirus is 100% safe. In my opinion, most of the 50 malware on your computer came from torrent sites: uTorrent, Pando, Bit Torrent and Bears. Those p2p sites most often hide malware and there are the best mode for pirates, hackers and other malicious people to infect computers. If you invite them in, Kaspersky will not protest because you are the boss.

I suggest that your remove Malwarebyte so that it does not come in conflict with Kaspersky. You can always get it back if necessary.

These two keys, if you wish can also be deleted:

HKLM\SOFTWARE\Wow6432Node\McAfee
HKCU\SOFTWARE\McAfee


It was a pleasure helping you.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 29, 2015 at 05:30 PM
Hello, I greatly appreciate your time and effort to help me get rid of this darn malware! My PC is as clean as ever. And I surely will be more careful on those torrent sites and watching what I download. Anyway, thanks for the help and making this a smooth experience!
0

Didn't find the answer you are looking for?

Ask a question
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Nov 30, 2015 at 08:22 PM
Hello again, the GetPrivate virus has downloaded back to my computer, if you wouldn't mind, could you help me get rid of it so that it doesn't come back?

Thanks,
Ezpz
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 1, 2015 at 04:34 AM
Hello EZ

With pleasure. Please, another ZHP Diag report. Thanks
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 1, 2015 at 08:32 PM
I temporarily removed it with malwarebytes but here's the log:
http://speedy.sh/tpK73/ZHPDiag.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 2, 2015 at 05:04 AM
Hello

Well, you did get infected again.

This time, we will go in what I believe to be the sources in an easy 1, 2, 3. 4

ONE

1. Open Internet Explorer

2. Click on the gear box.

3. Click on "Manage add-on and then on "Toolbars and extensions"

4. Look for and delete all suspicious extensions. (may say "not verified)

5. Close IE.

TWO

1. Open Firefox

2. Click the menu by click on the 3 horizontal lines, top right corner.

3. Click on the puzzle piece icon and then on plug-ins

4. Look for and delete all suspicious plug-in

Important note: If you still get problems with GetPlus after the above steps, you will need to reset both browsers' to default setting.

THREE

1. Open the add/remove program utility and delete

Download Manager

FOUR

1. We will repeat our ZHP Fix trick

Here are the bold lines:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
HKLM\SOFTWARE\Wow6432Node\SecureWebChannel
3 - CFD: 12/01/2015 - [0] D -- C:\Program Files (x86)\download Manager
3 - CFD: 13/01/2015 - [] D -- C:\Users\Bears\AppData\Roaming\SoftwareUpdater
O45 - LFCP:[MD5.E8D56F120C5EFF515F03CF3FE165FD1E] 30/11/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf


Let me know
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 3, 2015 at 09:13 PM
I do not see a "Download Manager" program in the add/remove program utility.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 3, 2015 at 09:18 PM
Here's the log:
http://speedy.sh/RW5TH/ZHPFix-R3.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 4, 2015 at 05:06 AM
Please download, install and run Adwcleaner

https://ccm.net/downloads/security-and-maintenance/6911-adwcleaner/
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 4, 2015 at 10:56 PM
I installed it.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 5, 2015 at 04:41 AM
Did you run a scan with it?
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 5, 2015 at 04:03 PM
Here's the log:
http://speedy.sh/7uY4k/AdwCleaner-C1.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 5, 2015 at 04:21 PM
Those were the adware viruses I was talking about as browser extensions.

Chrome did not show on your ZHP Diag log!!!

Folder Deleted : C:\Program Files (x86)\download Manager
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\gngocbkfmikdgphklgmmehbjjlfgdemm
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\madakpajlmcpaodhfbekojajlhbdklol
[-] Folder Deleted : C:\Users\Bears\AppData\Local\Google\Chrome\User Data\Default\Extensions\lhoahihokddepjlegpenefeaahdkojog
Folder Deleted : C:\Users\Bears\AppData\Roaming\SoftwareUpdater

Could you please check in your Chrome extensions to see if:

lhoahihokddepjlegpenefeaahdkojog
madakpajlmcpaodhfbekojajlhbdklol
gngocbkfmikdgphklgmmehbjjlfgdemm

Are still there; if they are, we may need to remove them manually.

Did you find that the virus returned after you launched Chrome?

Take care
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 5, 2015 at 04:44 PM
I do not see those extensions in there, and at the moment, the virus has not returned after I launched chrome.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 5, 2015 at 04:49 PM
Did you, in the past, find that the virus returned after you launched Chrome?

Out of curiosity, can you tell me what is this C:\Users\Bears\AppData\Roaming\SoftwareUpdater

Thanks
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 5, 2015 at 05:02 PM
Yes, It has returned before, after I launched chrome, and I'm not too sure what "SoftwareUpdater" is for but I've seen it. And about "download manager", I downloaded that when I was trying to download something a long time ago because I thought it would help me download faster.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 5, 2015 at 05:16 PM
Okay, I believe we have resolved the problem.

It's getting ever popular for many to include adware or spyware in the sofware package. Recently, in case of browser applications, they are added to the browser extensions.

Should this occur to you again, first start to disinfect with adwcleaner, it is much more efficient than malwarebyte in the case of adware and spyware where you get pop-ups or browser redirecting.

Take care in Dixieland VA.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 6, 2015 at 05:45 PM
Thanks a lot for helping me solve this problem. But I have a question, how would I uninstall software updater and download manager if I would want to uninstall them since they don't clearly show up as programs in Programs and Features?
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164 > Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 6, 2015 at 05:57 PM
You are most welcome.

They were deleted by adwcleaner. Othewise, you would have to follow the paths
C:\Program Files (x86)\download Manager
C:\Users\Bears\AppData\Roaming\SoftwareUpdater
and delete them, like any other file.

Then I would CCleaner to see if they are still in the registry and delete also from there.
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 14, 2015 at 08:37 PM
Hello again,

The the virus has come back and I followed your instructions to disinfect it with adwcleaner. However, today it came back once I opened chrome, and after I disinfected it again with adwcleaner, I checked my extensions folder for chrome and I didn't find those three extensions you mentioned about. Could it be other extensions that's making it come back after a couple of days?
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 15, 2015 at 06:45 AM
Hi,

Yes it could very well be those extensions.
Why don't you remove Chrome completely, you can always get a fresh copy.

Care to upload another ZHP Diag log, just in case something else got infected?
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 21, 2015 at 03:49 PM
Sorry for the late reply, I've been busy. Anyways, I've reinstalled google chrome and ran zhp so here's the log:
http://speedy.sh/B2Pe5/ZHPDiag.txt
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Dec 21, 2015 at 04:39 PM
Hi

Every time I analyse one of your reports I find new malware.

Where did you get this one?

PRIVOXY.EXE

It's a proxy hyjacker.

If you see it in your Chrome extensions, remove it.

Run ZHP Fix with this script:

Script ZHPFix
FirewallRaz
EmptyPrefetch
EmptyTemp
EmptyFlash
R5 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8118
O45 - LFCP:[MD5.1A5C72CAB3A96378BAAA227801876896] 14/12/2015 A -- C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
C:\WINDOWS\Prefetch\PRIVOXY.EXE-34E51078.pf
0
Ezpz Posts 35 Registration date Wednesday November 25, 2015 Status Member Last seen August 15, 2016
Dec 21, 2015 at 06:37 PM
I checked my chrome extensions but I don't know which extensions to look for? I can list what extensions I currently have:
aapocclcgogkmnckokdopfmhonfmgoek
aohghmighlieiainnegkcijnfilokake
apdfllckaahabafndbhieahigkjlhalf
blpcfgokakmgnkcojhhkbfbldkacnbeo
cmeakgjggjdlcpncigglobpjbkabhmjl
coobgpohoikkiipiblmjeljniedjpjpf
eahebamiopdhefndnmappcihfajigkka
felcaaldnbdncclmgdcncolpebgiejap
ghbmnnjooekpmoecnnnilnnbdlolhkhi
nmmhkkegccagdldgiimedpiccmgmieda
pjkljhegncpnkpknbcohdijeoejaedia
0