Author Topic: Vista opening Firefox goes to PuP! Help remove! http://src-click-download.xyz  (Read 24189 times)

0 Members and 1 Guest are viewing this topic.

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Vista, when opening, Firefox goes to one of number different of sites automatically.  http://src-click-download.xyz (or) .sce-clicksoft.pw (or) http://src-click-download.xyz (or) sce-clicksoft.pw/UX   
Seems to slow complete system down.  Ran Tweaking twice but no help.  I think it is a PUP. 
How do I fix this problem
Thank in advance 
Kenny

email address removed for privacy
« Last Edit: November 25, 2016, 12:51:07 am by Boggin »

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Download AdwCleaner which is a program specifically designed to deal with PuPs.

https://www.malwarebytes.com/adwcleaner/

Click on Scan and it may list some items when complete in a lower pane it considers adware.

Uncheck any you want to keep then click on Logfile which will show you what else it has found and will delete when you close the log and hit Clean.

It will produce a final report of what it has removed after the reboot.

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
thanks Boggin,  Will try your suggestion now.  Thanks for the fast reply! 

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Hi Boggin   Ran adwcleaner found 199 threats, and removed all,  after rebook....No help for my problem.  Ran adwcleaner again and found no problem, but still no help with my problem.  tried to post log file, but it would not cut and paste post!  Thanks Kenny

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Hi Willy2  The JRT ran ok and found some items and deleted them.  Yet the problem my computer has is still there.   Log file here:  unkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.9 (09.30.2016)
Operating System: Windows Vista (TM) Home Premium x86
Ran by Dick (Administrator) on Thu 11/24/2016 at 21:22:51.01
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File System: 18
Successfully deleted: C:\Program Files\mozilla firefox\defaults\pref\itms.js (File)
Successfully deleted: C:\ProgramData\esellerate (Folder)
Successfully deleted: C:\Windows\System32\Tasks\DriverNavigator Scheduled Scan (Task)
Successfully deleted: C:\Windows\Tasks\DriverNavigator Scheduled Scan.job (Task)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04IZ3MGL (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\081SE7VK (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6RPQOF4R (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CDHQ8XD (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I09MULM4 (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJP2VYCB (Temporary Internet Files Folder)
Successfully deleted: C:\Users\Dick\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6W4169K (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\04IZ3MGL (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\081SE7VK (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6RPQOF4R (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9CDHQ8XD (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I09MULM4 (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IJP2VYCB (Temporary Internet Files Folder)
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W6W4169K (Temporary Internet Files Folder)
Registry: 2
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Main\\SearchAssistant (Registry Value)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\Search\\SearchAssistant (Registry Value)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/24/2016 at 21:26:10.31
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Offline satrow

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 120
  • Location: Cymru
  • Karma: 3
    • View Profile
The final step, once any malware/adware/redirects have been removed, is to Reset Firefox (and/or any other browser installed that has the same issue): https://malwaretips.com/blogs/reset-firefox-settings/

Offline Still_Game

  • Full Member
  • ***
  • Join Date: Sep 2015
  • Posts: 208
  • Location: France
  • Karma: 12
    • View Profile
Kenya - I would advise you to go to your initial post and edit it to remove your email address. Otherwise, bots will harvest your address and you're likely to receive quantities of spam - possibly including malware that could add to your problems.
 
Iain

ThinkPad T450s W10 Pro x64
Windows Defender, Malwarebytes Premium
Macrium Reflect 7 Home, Tweaking WRAIO Pro

Offline Willy2

  • Hero Member
  • *****
  • Join Date: Oct 2011
  • Posts: 1165
  • Karma: 18
    • View Profile
- Sometimes one can, at this stage, simply manually change the startup page.

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
I had removed your email address before I first responded, but with it being late, I'd forgotten to Save.

As an additional check for malware, run the free version of MBAM and then reset the Hosts file to default.

https://www.malwarebytes.com/mwb-download/

MS used to have a fixit for this, but has been withdrawn like a lot of support, so you now have to do this manually.

Even though any malware has been removed, it can leave entries in the Hosts file which will continue to plague.

https://www.malwarebytes.com/mwb-download/

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
tried manually change the startup page, no help!   Will try malwarebyte now.  Thanks everyone for the help! 

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Hi Everyone,   I ran malwarebytes and it found 33 PUP's then deleted them.  Malwarebytes said it made a log file, but I can not find it.  Very slow reboot  After Reboot, I then ran SuperAntiSpyware, Found two threats & removed them,  listed here:        .happy-good-click.pw [ C:\USERS\DICK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\YMBDLBON.DEFAULT-480038213834\COOKIES.SQLITE ]
.sce-clicksoft.pw [ C:\USERS\DICK\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\YMBDLBON.DEFAULT-1480038213834\COOKIES.SQLITE ]

Things are different now!  These two, .happy-good-click.pw and .sce-clicksoft.pw are the same Threats Firefox was lunching to,
but now Firefox lunches to: file:///C:/PROGRA~1/MOZILL~1/    A long list of files, is this OK?  Any Suggestions?   

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Hi Everyone,   I did a Refresh on FireFox and now FireFox lunches to it's normal home page.   Still reboots very slow.  and  DeskGram for loading photos from a PC to Instagram does not work now.   Is there a easy to use program for FireFox to load photos and video to Instagram that is free!  DeskGram has a monthly charge.     And Malwarebytes seems to have removed U-block.   Should I re install it? 
Thanks for all the help.  The Computer is much better now.  Kenny

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
You can reinstall uBlock but I don't know anything about loading photos.

See what a Google search brings up for a free program.

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Problem Again.  When opening firefox it goes to:  file:///C:/PROGRA~1/MOZILL~1/      Looks like a FireFox refresh only worked the one time.   Any suggestions?   Thanks Again!  Kenny 

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
Going back through the thread, it looks like I doubled up with the MBAM link instead of the one for resetting the Hosts file.

Run another scan with MBAM and then follow this tutorial to see if that resolves - https://support.microsoft.com/en-gb/kb/972034

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
OK, Thanks, will try Mbam again now!  Kenny

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Hi Boggin,  I ran mbam again & found no threats.  follow the instruction for Host file.  No help still, Firefox lunches to file:///C:/PROGRA~1/MOZILL~1/      thanks any additional suggestions?  Kenny

Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile

Offline satrow

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 120
  • Location: Cymru
  • Karma: 3
    • View Profile
Are you running Firefox from a shortcut? If so, please use Explorer (or the command line/Run box) to start it directly: C:\Program Files (x86)\Mozilla Firefox\Firefox.exe or C:\Program Files\Mozilla Firefox\Firefox.exe.

It's looking like *something* did an incomplete job in cleaning up (MBam or SAS?) were both of these updated before running them?

Can you export and attach the MBam logs for us to check:


Offline Boggin

  • Global Moderator
  • Hero Member
  • *****
  • Join Date: Jul 2014
  • Posts: 10182
  • Location: UK
  • Karma: 122
    • View Profile
The default for MBAM is now to treat PuPs and PuMs as malware, but MBAM auto updates on installation - but I agree, something still seems to be in there.

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Can you export and attach the MBam logs for us to check: Mbam was a new download.  SAS has been updated, should I deleted it and do a new download?   Mbam says it make a log file, but I can not find it.  Can you tell me where it would be?    I try firefox from the command line now.  Let you know.   Thanks Again Kenny

Offline satrow

  • Full Member
  • ***
  • Join Date: Nov 2016
  • Posts: 120
  • Location: Cymru
  • Karma: 3
    • View Profile
The image in my previous message should enable you to access the MBam logs.

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Success,  Firefox runs correctly from command line.  I deleted the Shortcut, did a refresh on Firefox, then created an new shortcut.  It works correctly.  I did not try running Firefox from Safe Mode.  Still can not find Mbam log files.   Thanks for all the help!  Kenny    ( Satrow, I Will Try to look at Logs files and get you a copy)

Offline keny

  • Newbie
  • *
  • Join Date: Nov 2016
  • Posts: 16
  • Karma: 0
    • View Profile
Scan Date: 11/25/2016
Scan Time: 8:33:33 AM
Logfile: mbamlogNov25.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.11.25.09
Rootkit Database: v2016.11.20.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows Vista Service Pack 2
CPU: x86
File System: NTFS
User: Dick

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 382024
Time Elapsed: 23 min, 34 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 5
PUP.Optional.SpyHunter, HKLM\SOFTWARE\ENIGMASOFTWAREGROUP\SpyHunter, Quarantined, [83fa388c4456241210f90a9e35ce639d],
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{482A80B4-9475-40D2-B8F1-E90418B51C89}, Quarantined, [ef8e09bbff9bbc7aecf75f612ad844bc],
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{8E7CBE45-08DD-4D0D-9FB0-0EE1C0239023}, Quarantined, [49346b597a2010269152f1cf659d29d7],
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{98C7B90B-AEB2-45E1-8576-4440792C1216}, Quarantined, [fd80655f445688aede05437d907209f7],
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGIGUARD, Quarantined, [502deed682183afc2585b7f01de637c9],

Registry Values: 4
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{482A80B4-9475-40D2-B8F1-E90418B51C89}|AppPath, C:\PROGRA~1\WI371A~1\Datamngr\ToolBar, Quarantined, [ef8e09bbff9bbc7aecf75f612ad844bc]
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{8E7CBE45-08DD-4D0D-9FB0-0EE1C0239023}|AppPath, C:\PROGRA~1\WI371A~1\Datamngr\ToolBar, Quarantined, [49346b597a2010269152f1cf659d29d7]
PUP.Optional.Bandoo.AppFlsh, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\{98C7B90B-AEB2-45E1-8576-4440792C1216}|AppPath, C:\PROGRA~1\SEARCH~1\Datamngr\ToolBar, Quarantined, [fd80655f445688aede05437d907209f7]
PUP.Optional.SpyHunter, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\ESGIGUARD|ImagePath, \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys, Quarantined, [502deed682183afc2585b7f01de637c9]

Registry Data: 0
(No malicious items detected)

Folders: 3
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Data, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],

Files: 21
PUP.Optional.APNToolBar, C:\Users\Dick\AppData\Local\Downloaded Installations\{0710724E-1A91-4F52-ACCA-1B2BB24A0590}\The Weather Channel App.msi, Quarantined, [66170bb98515a096d4c08048ac54f30d],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\INSTALL.LOG, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\cos.dat, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\gil.dat, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\safeol.dat, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\scanlog.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\supportlog.txt, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\unkcache.dat, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Data\dns.dat, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120321_174627.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120322_082738.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120330_141117.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120406_094628.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120411_033926.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120415_183034.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120430_090126.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120512_033942.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120607_140656.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20120611_094658.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.SpyHunter, C:\Program Files\Enigma Software Group\SpyHunter\Log\SpyHunter4_20140226_191150.log, Quarantined, [5e1f289c97030a2cb0f6594e9b6816ea],
PUP.Optional.BrowserHijack.ShrtCln, C:\Program Files\Mozilla Firefox\firefox.bat, Good: (), Bad: (http://1.loadblanks.ru/c/0d3963b9394e4bc5?"), Replaced,[ee8f774d4b4fb3833ffc85bb05fe21df]
Physical Sectors: 0
(No malicious items detected)
(end)