Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

New tabs opening Primeslots.com and static.webimpresion.com

  • 25-03-2014 7:44pm
    #1
    Registered Users Posts: 116 ✭✭


    I use Chrome and recently I have noticed if I leave my laptop idle for a while a new tab will open with either primeslots.com or static.webimpresion.com. Both are alerted as phishing sites by Chrome.

    I have searched for how to remove but any of the sites I found with details of web extensions to look for have failed as none of the extensions listed are listed on in my extensions so that route is failing.

    Plenty of other sites offer removal tools but I am sceptical of installing any of them in case they are hoax tools and infect me worse!!

    So if anyone has any helpful info on removing this malware I'd be grateful if you could share it!! BTW I use eset anti-virus but it does not detect it.


Comments

  • Moderators, Home & Garden Moderators, Technology & Internet Moderators Posts: 24,789 Mod ✭✭✭✭KoolKid


    Moved from Info Sec.


  • Registered Users Posts: 840 ✭✭✭jsa112


    Download OTL to your Desktop
    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Click the Quick Scan button. Do not change any settings. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files here


  • Registered Users Posts: 116 ✭✭JimFin


    Thanks JSA for any help you can give. I have attached the two files.


  • Registered Users Posts: 840 ✭✭✭jsa112


    don't attach the logs, easier if you post them for me

    open OTL copy this into the box


    :OTL
    IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=
    IE:64bit: - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=
    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.mysearchdial.com/?f=1&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=
    IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://start.mysearchdial.com/results.php?f=4&q={searchTerms}&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=
    IE - HKCU\..\SearchScopes\{FD0916A5-C1D6-4841-BF56-03937D5F750F}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3275663&CUI=UN11615326762723122&UM=1
    O33 - MountPoints2\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\Shell - "" = AutoRun
    O33 - MountPoints2\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\Shell\AutoRun\command - "" = E:\SafeStick.exe
    O33 - MountPoints2\E\Shell - "" = AutoRun
    O33 - MountPoints2\E\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
    O33 - MountPoints2\F\Shell - "" = AutoRun
    O33 - MountPoints2\F\Shell\AutoRun\command - "" = F:\LaunchU3.exe -a
    [2013/08/27 18:26:04 | 000,423,709 | ---- | C] () -- C:\Users\Enda\AppData\Local\mysearchdial_speedial_v9.0.2.crx
    [2013/08/27 18:26:09 | 000,000,000 | ---D | M] -- C:\Users\Enda\AppData\Roaming\mysearchdial
    [2014/03/17 12:09:00 | 000,000,288 | ---- | M] () -- C:\Windows\tasks\MySearchDial.job

    :Commands
    [PURITY]
    [EMPTYTEMP]
    [EMPTYFLASH]
    [RESETHOSTS]
    [EMPTYJAVA]
    [CREATERESTOREPOINT]
    [Reboot]
    :Files
    ipconfig /flushdns /c


    click run fix post the log it gives


    then run adwcleaner, post the log it gives

    www.bleepingcomputer.com/download/adwcleaner/


  • Registered Users Posts: 116 ✭✭JimFin


    Thanks again for your help. Logs:

    All processes killed
    ========== OTL ==========
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
    64bit-Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page| /E : value set successfully!
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{FD0916A5-C1D6-4841-BF56-03937D5F750F}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{FD0916A5-C1D6-4841-BF56-03937D5F750F}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\ not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{e978cedf-6994-11e2-884b-705ab6cbf2ac}\ not found.
    File E:\SafeStick.exe not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E\ not found.
    File E:\LaunchU3.exe -a not found.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ deleted successfully.
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F\ not found.
    File F:\LaunchU3.exe -a not found.
    C:\Users\Enda\AppData\Local\mysearchdial_speedial_v9.0.2.crx moved successfully.
    C:\Users\Enda\AppData\Roaming\mysearchdial\UpdateProc folder moved successfully.
    C:\Users\Enda\AppData\Roaming\mysearchdial\icons_2.2.4.731 folder moved successfully.
    C:\Users\Enda\AppData\Roaming\mysearchdial folder moved successfully.
    C:\Windows\Tasks\MySearchDial.job moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator

    User: All Users

    User: Classic .NET AppPool
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: DefaultAppPool
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Enda
    ->Temp folder emptied: 1855700568 bytes
    ->Temporary Internet Files folder emptied: 1259685354 bytes
    ->Google Chrome cache emptied: 431059747 bytes
    ->Flash cache emptied: 96420 bytes

    User: Public

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32 (64bit) .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 768047679 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 45310 bytes
    %systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 78039 bytes
    RecycleBin emptied: 3969 bytes

    Total Files Cleaned = 4,115.00 mb


    [EMPTYFLASH]

    User: Administrator

    User: All Users

    User: Classic .NET AppPool

    User: Default

    User: Default User

    User: DefaultAppPool

    User: Enda
    ->Flash cache emptied: 0 bytes

    User: Public

    Total Flash Files Cleaned = 0.00 mb

    C:\Windows\System32\drivers\etc\Hosts moved successfully.
    HOSTS file reset successfully

    [EMPTYJAVA]

    User: Administrator

    User: All Users

    User: Classic .NET AppPool

    User: Default

    User: Default User

    User: DefaultAppPool

    User: Enda

    User: Public

    Total Java Files Cleaned = 0.00 mb

    Restore point Set: OTL Restore Point
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Enda\Desktop\cmd.bat deleted successfully.
    C:\Users\Enda\Desktop\cmd.txt deleted successfully.

    OTL by OldTimer - Version 3.2.69.0 log created on 03262014_191418

    Files\Folders moved on Reboot...
    C:\Users\Enda\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.
    C:\Users\Enda\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat moved successfully.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...





    # AdwCleaner v3.022 - Report created 26/03/2014 at 19:28:43
    # Updated 13/03/2014 by Xplode
    # Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
    # Username : Enda - ENDA-PC
    # Running from : C:\Users\Enda\Downloads\AdwCleaner.exe
    # Option : Scan

    ***** [ Services ] *****

    Service Found : WajamUpdater

    ***** [ Files / Folders ] *****

    File Found : C:\Windows\System32\Tasks\Dealply
    File Found : C:\Windows\System32\Tasks\MySearchDial
    File Found : C:\Windows\Tasks\Dealply.job
    Folder Found C:\Program Files (x86)\BitLord 2
    Folder Found C:\Program Files (x86)\Conduit
    Folder Found C:\Program Files (x86)\DealPly
    Folder Found C:\Program Files (x86)\DealPlyLive
    Folder Found C:\Program Files (x86)\MyPC Backup
    Folder Found C:\ProgramData\Ask
    Folder Found C:\ProgramData\DealPlyLive
    Folder Found C:\Users\Enda\AppData\Local\apn
    Folder Found C:\Users\Enda\AppData\Local\Conduit
    Folder Found C:\Users\Enda\AppData\Local\DealPlyLive
    Folder Found C:\Users\Enda\AppData\Local\torch
    Folder Found C:\Users\Enda\AppData\LocalLow\boost_interprocess
    Folder Found C:\Users\Enda\AppData\LocalLow\Conduit
    Folder Found C:\Users\Enda\AppData\LocalLow\PriceGong
    Folder Found C:\Users\Enda\AppData\Roaming\BitLord
    Folder Found C:\Users\Enda\AppData\Roaming\DealPly
    Folder Found C:\Users\Enda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BitLord
    Folder Found C:\Users\Enda\AppData\Roaming\OpenCandy
    Folder Found C:\Users\Enda\Documents\BitLord

    ***** [ Shortcuts ] *****


    ***** [ Registry ] *****

    Key Found : HKCU\Software\APN PIP
    Key Found : HKCU\Software\AppDataLow\Software\Conduit
    Key Found : HKCU\Software\AppDataLow\Software\ConduitSearchScopes
    Key Found : HKCU\Software\AppDataLow\Software\PriceGong
    Key Found : HKCU\Software\AppDataLow\Software\SmartBar
    Key Found : HKCU\Software\Conduit
    Key Found : HKCU\Software\DealPlyLive
    Key Found : HKCU\Software\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff
    Key Found : HKCU\Software\InstallCore
    Key Found : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\wajam.com
    Key Found : HKCU\Software\mysearchdial
    Key Found : HKCU\Software\torch
    Key Found : HKCU\Software\Wajam
    Key Found : [x64] HKCU\Software\APN PIP
    Key Found : [x64] HKCU\Software\Conduit
    Key Found : [x64] HKCU\Software\DealPlyLive
    Key Found : [x64] HKCU\Software\InstallCore
    Key Found : [x64] HKCU\Software\mysearchdial
    Key Found : [x64] HKCU\Software\torch
    Key Found : [x64] HKCU\Software\Wajam
    Key Found : HKLM\SOFTWARE\Classes\AppID\{0A18A436-2A7A-49F3-A488-30538A2F6323}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
    Key Found : HKLM\SOFTWARE\Classes\AppID\{CA5CAA63-B27C-4963-9BEC-CB16A36D56F8}
    Key Found : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{1AA60054-57D9-4F99-9A55-D0FBFBE7ECD3}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
    Key Found : HKLM\SOFTWARE\Classes\CLSID\{D40753C7-8A59-4C1F-BE88-C300F4624D5B}
    Key Found : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc
    Key Found : HKLM\SOFTWARE\Classes\esrv.mysearchdialesrvc.1
    Key Found : HKLM\SOFTWARE\Classes\Toolbar.CT3275663
    Key Found : HKLM\SOFTWARE\Classes\TypeLib\{C292AD0A-C11F-479B-B8DB-743E72D283B0}
    Key Found : HKLM\Software\Conduit
    Key Found : HKLM\Software\DealPlyLive
    Key Found : HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff
    Key Found : HKLM\Software\InstallCore
    Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{219046AE-358F-4CF1-B1FD-2B4DE83642A8}
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apnstub_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASAPI32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\apntoolbarinstaller_RASMANCS
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasapi32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\askpartnercobrandingtool_rasmancs
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasapi32
    Key Found : HKLM\SOFTWARE\Microsoft\Tracing\au__rasmancs
    Key Found : HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dealplylive.exe
    Key Found : HKLM\Software\PIP
    Key Found : HKLM\Software\torch
    Key Found : HKLM\Software\Wajam
    Key Found : [x64] HKLM\SOFTWARE\DivX\Install\Setup\WizardLayout\ConduitToolbar
    Key Found : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\pflphaooapbgpeakohlggbpidpppgdff

    ***** [ Browsers ] *****

    -\\ Internet Explorer v11.0.9600.16521

    Setting Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURls [Tabs] - hxxp://start.mysearchdial.com/?f=2&a=dnldmsd&cd=2XzuyEtN2Y1L1Qzu0FtDyB0B0C0ByE0AyEtBtBzz0FzyzzyCtN0D0Tzu0CyCtDyDtN1L2XzutBtFtBtFyEtFyBtAtCtN1L1Czu1Q1G1I1Q1H1B1Q&cr=640394618&ir=

    -\\ Google Chrome v33.0.1750.154

    [ File : C:\Users\Enda\AppData\Local\Google\Chrome\User Data\Default\preferences ]


    *************************

    AdwCleaner[R0].txt - [5084 octets] - [26/03/2014 19:28:43]

    ########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [5144 octets] ##########


  • Advertisement
  • Registered Users Posts: 840 ✭✭✭jsa112


    have adwcleaner delete what it found, reboot and tell me how its running


  • Registered Users Posts: 116 ✭✭JimFin


    Done all you suggested and so far so good. Left the laptop idle for a while and no random tabs opened. Thanks a mil for all your help, greatly appreciated.


Advertisement