CouponDropDown

system · February 22, 2015, 3:09pm

Help with getting CouponDropDown would be very much appreciated, I have upgraded from avast free to regular and also used AdwCleaner without success. Right now it is slowing down my laptop to almost useless…

Pondus · February 22, 2015, 3:12pm

Logs to assist in cleaning malware https://forum.avast.com/index.php?topic=53253.0

system · February 23, 2015, 4:20pm

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 23.02.2015
Scan Time: 16:29:57
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.02.23.04
Rootkit Database: v2015.02.22.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Thor-Erik

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343497
Time Elapsed: 36 min, 6 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 2
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, 3040, , [3449111098f2c86e6b3cfe8c11f2a858]
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, 1980, , [3449111098f2c86e6b3cfe8c11f2a858]

Modules: 1
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, , [3449111098f2c86e6b3cfe8c11f2a858],

Registry Keys: 12
PUP.Optional.SearchApp.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY{c0caa5fe-7c9c-4dca-a265-63cf55379d1a}, , [c4b96eb3aae0122459d2cd7e699a619f],
PUP.Optional.SearchApp.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED{C0CAA5FE-7C9C-4DCA-A265-63CF55379D1A}, , [c4b96eb3aae0122459d2cd7e699a619f],
PUP.Optional.SearchApp.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED{C0CAA5FE-7C9C-4DCA-A265-63CF55379D1A}, , [c4b96eb3aae0122459d2cd7e699a619f],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY${dtUserElevationPolicyID}, , [aad332ef09811b1b5071f623c73e42be],
PUP.Optional.DataMangr.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY${dtUserElevationPolicyID}, , [f08d76ab8ffb14223e83c95039cc50b0],
PUP.Optional.MoviesToolBar.A, HKU\S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\ilividbandoomoviestoolbar, , [7c0176ab9befb680e22a08db36cd29d7],
PUP.Optional.Bandoo.A, HKU\S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\ilividbandoomoviestoolbar, , [4439839e0783ac8a724c7f9a55b0a060],
PUP.Optional.SecureWeb.A, HKLM\SOFTWARE\CLASSES\TYPELIB{2F137995-4D26-44AD-9C4E-91055090A817}, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, HKLM\SOFTWARE\CLASSES\INTERFACE{A1E7709A-3AFB-49B8-8719-CCBF3F73CCB1}, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE{A1E7709A-3AFB-49B8-8719-CCBF3F73CCB1}, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB{2F137995-4D26-44AD-9C4E-91055090A817}, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\PrivoxyService, , [3449111098f2c86e6b3cfe8c11f2a858],

Registry Values: 1
PUM.Bad.Proxy, HKU\S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS|ProxyServer, 127.0.0.1:8118, , [e499a0814d3dea4cbcc7bef9a55eea16]

Registry Data: 0
(No malicious items detected)

Folders: 8
PUP.Optional.Datamngr.A, C:\ProgramData\Datamngr, , [2e4ff62b1c6ee056cc688578996b17e9],
PUP.Optional.MindSpark.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\Allin1Convert_8h, , [d7a620011e6c9c9a14d4ed7708fb0bf5],
PUP.Optional.MindSpark.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\InternetSpeedTracker_9t, , [d3aaad741b6fea4ce11381e3a26143bd],
PUP.Optional.MindSpark.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\FileShareFanatic_8l, , [9fdeae7325656ec86ec22944f80ba35d],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\search, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web, , [3449111098f2c86e6b3cfe8c11f2a858],

Files: 39
PUP.Optional.Bandoo, C:\Users\Thor-Erik\Downloads\iLividSetup-r120-n-bf(1).exe, , [bcc1a879107a53e3eb8b1121ed14718f],
PUP.Optional.Bandoo, C:\Users\Thor-Erik\Downloads\iLividSetup-r120-n-bf.exe, , [abd21d046c1e280e12644ae856ab8779],
PUP.Optional.Bandoo, C:\Users\Thor-Erik\Downloads\iLividSetup-r394-n-bf(1).exe, , [79047fa25f2b91a596e0fb37d928619f],
PUP.Optional.Bandoo, C:\Users\Thor-Erik\Downloads\iLividSetup-r394-n-bf.exe, , [027b4cd596f4be78175f2e0491709e62],
PUP.Optional.SecureWeb.A, C:\Windows\System32\Tasks\Jelbrus Secure Web Task, , [512c170adcae142202986a3821e2f808],
PUP.Optional.Datamngr.A, C:\ProgramData\Datamngr\coordinator.cfg, , [2e4ff62b1c6ee056cc688578996b17e9],
PUP.Optional.Datamngr.A, C:\ProgramData\Datamngr\general.cfg, , [2e4ff62b1c6ee056cc688578996b17e9],
PUP.Optional.Datamngr.A, C:\ProgramData\Datamngr\S-1-5-21-556125026-1604319141-179401904-1001.cfg, , [2e4ff62b1c6ee056cc688578996b17e9],
PUP.Optional.MindSpark.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\Allin1Convert_8h\9D892A89-4E4A-41BF-9AD7-FCF50B182DFC.sqlite, , [d7a620011e6c9c9a14d4ed7708fb0bf5],
PUP.Optional.MindSpark.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\InternetSpeedTracker_9t\2C2AC8BE-24E2-482C-81C0-A9BE39BE82CB.sqlite, , [d3aaad741b6fea4ce11381e3a26143bd],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\apnuserid.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\appid.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\dtx.ini, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\geodata.xml, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\guid.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\log.txt, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\preferences.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\sysid.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\trackid.dat, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\LocalLow\ilividbandoomoviestoolbar\search\ilividbandoomoviestoolbar-search-history.xml, , [d5a8f52cf595d660cd74a9cf5ba8bd43],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\apnuserid.dat, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\appid.dat, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\geodata.xml, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\guid.dat, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\setupCfg.xml, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\sysid.dat, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.Bandoo.A, C:\Users\Thor-Erik\AppData\Roaming\Mozilla\Firefox\Profiles\7u2azuj2.default\ilividbandoomoviestoolbar\trackid.dat, , [c8b5c958bdcdd1654005d2a6d62d9d63],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\config.txt, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\default.action, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\default.filter, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jsie.dll, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jswchromium.exe, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jswchromium64.exe, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jsweb64.dll, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jswff.exe, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\jswtask.exe, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\mgwz.dll, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\privoxy.exe, , [3449111098f2c86e6b3cfe8c11f2a858],
PUP.Optional.SecureWeb.A, C:\Program Files (x86)\Jelbrus Secure Web\privoxy.log, , [3449111098f2c86e6b3cfe8c11f2a858],

Physical Sectors: 0
(No malicious items detected)

(end)

system · February 23, 2015, 4:40pm

Sorry for the copy-paste but I got issues with a lot of links including the farbar. When I try to acess it I am beeing redirected to some cupong place… I really hope you can help me.

Pondus · February 23, 2015, 4:50pm

you mean you are not able to download FRST ?

system · February 23, 2015, 4:54pm

Found a way around the coupon links and have attached the logs.

Pondus · February 23, 2015, 4:55pm

Flink gutt ;D now wait for essexboy

system · February 23, 2015, 4:58pm

Takker Jeg er nok en bedre psykolog enn it-expert

essexboy · February 23, 2015, 6:34pm

Were you able to run AdwCleaner

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: ProxyEnable: [S-1-5-21-556125026-1604319141-179401904-1001] => Internet Explorer proxy is enabled. ProxyEnable: [S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0] => Internet Explorer proxy is enabled. HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = 0x00 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Search Page = 0x00 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = 0x00 HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = 0x00 HKU\S-1-5-21-556125026-1604319141-179401904-1001\Software\Microsoft\Internet Explorer\Main,Start Page = 0x00 HKU\S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Main,Start Page = 0x00 SearchScopes: HKU\S-1-5-19-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-21-556125026-1604319141-179401904-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0 -> {D47700B2-868B-4E64-8896-7F576F01C405} URL = R2 Live Malware Protection; C:\WINDOWS\mlwps.exe [239104 2015-02-17] (AV Security Software) [File not signed] 2015-02-23 08:11 - 2015-02-17 08:11 - 00851968 _____ () C:\Users\Thor-Erik\AppData\Roaming\trzD8C1.tmp 2015-02-17 08:11 - 2015-02-17 08:11 - 00851968 _____ () C:\Users\Thor-Erik\AppData\Roaming\31DE.tmp.exe 2015-02-17 08:11 - 2015-02-17 08:11 - 00239104 _____ (AV Security Software) C:\WINDOWS\mlwps.exe 2015-02-17 08:11 - 2015-02-17 08:11 - 00000000 _____ () C:\Users\Thor-Erik\AppData\Roaming\31DE.tmp 2015-02-15 12:40 - 2015-02-15 12:40 - 00000000 __HDC () C:\ProgramData\{7417E72F-E156-403E-9DFA-EB0ED1DB06F1} 2015-02-14 11:47 - 2015-02-14 11:48 - 00000000 ____D () C:\Users\Thor-Erik\AppData\Roaming\skyz Task: {8A21E8BA-AF25-4E18-AADC-0BDE3D5545F7} - \Jelbrus Secure Web Task No Task File <==== ATTENTION C:\Program Files (x86)\Jelbrus Secure Web EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

system · February 23, 2015, 8:02pm

Ok, here it is (I hope)

Btw Yes I could run the AdwCleaner and it found some stuff which I quarantined but the problem is still there…

essexboy · February 23, 2015, 8:31pm

Does this appear in all browsers ?

Could you run a fresh FRST scan please

system · February 24, 2015, 9:27am

Ok, will do when I get home from work.

system · February 24, 2015, 3:21pm

The main problem is with Firefox, with the explorer the ads and the links does not appear in the same way but it is really slow to load pages like Firefox. I dont have chrome on this lap top.

essexboy · February 24, 2015, 3:29pm

OK nothing apparent so we will now reset firefox

1.Click the menu button and then click help .
2.From the Help menu choose Troubleshooting Information. …
3.Click the Reset Firefox… button in the upper-right corner of the Troubleshooting Information page.
4.To continue, click Reset Firefox in the confirmation window that opens.

system · February 24, 2015, 4:12pm

Hmmm… I only got a refresh button. I have tried it (twice) and the problem is still here.

essexboy · February 24, 2015, 4:16pm

Could you screenshot the ads please

system · February 24, 2015, 4:24pm

I uninstalled Firefox and re installed it again, it seems like the ads finaly has dissapeard !

system · February 24, 2015, 4:46pm

I guess we posted on the same time, and I dont have them anymore after unistalling firefox, but lots of words got changed to bold letters with a link to CouponDropDown on the botom of the pic (When I was hovering my pointer over it) The bigger ads (with pictures covering a significat portion of any webpage) had options of hiding them for a couple of hours to 24 hours.

I am not sure how I got infected but my daughter uses this lap top to play minecraft on it and had downloaded a mod when I was not at home.

essexboy · February 24, 2015, 6:02pm

There are some adwares that actually change parts of firefox legitimate files, chrome suffers from adware changing it to developer build. All these are to see if they can get around the analysis tools used to root them out

Any further problems before I tidy up

system · February 25, 2015, 9:53am

Nope, it seems like everything is ok now. Thanks for helping out

CouponDropDown

Announcements