BuyNSave Keeps Coming Back

11/29/2014
BuyNSavekeepscomingback.MalwareRemovalHelpMalwarebytesForum
MalwarebytesForum MalwareRemovalSupport MalwareRemovalHelp
BuyNSavekeepscomingback.
Startedbyexor15,Nov24201407:53PM
Posted24November201407:53PM
exor15
IhaveadwareonmycomputercalledBuyNSave.I'vetrieddeletingtheextensioninmybrowsers,uninstallingthe
programincontrolpanel,deletingthehiddensystemfiles,endingallrelatedprogramsandprocesseswithtask
manager,deletingrelatedfilesintheregistryandIranadwarecleanerandMalwarebytesandBuyNSaveisstillonmy
system.Anytips?
exor15
AttachedherearethefilesfromFarbarRecoveryScanTool.
AttachedFiles
(https://forums.malwarebytes.org/index.php?app=core&module=attach&section=attach&attach_id=155992)
Addition.txt(https://forums.malwarebytes.org/index.php?
app=core&module=attach&section=attach&attach_id=155992)35.74KB39downloads
FRST.txt(https://forums.malwarebytes.org/index.php?
Posted25November201402:17AM
TwinHeadedEagle
Hello,
TheycallmeTwinHeadedEaglearoundhere,andI'llbeworkingwithyou.
Beforewestartpleasereadandnotethefollowing:
Limityourinternetaccesstopostinghere,someinfectionsjustwaittostealtypedinpasswords.
Pleasebepatient.IknowitisfrustratingwhenyourPCisn'tworkingproperly,butmalwareremovaltakes
time.
Don'trunanyscriptsortoolsonyourown,unsupervisedusagemaycausemoreharmthangood.
Donotpastethelogsinyourposts,attachmentsmakemyworkeasier.ThereisaMorereplyoptionsbutton,
thatgivesyouUploadFilesoptionbelowwhichyoucanusetoattachyourreports.Alwaysattachreports
fromalltools.
Alwaysexecutemyinstructionsingivenorder.Ifforsomereasonyoucannotcompletelyfollowone
instruction,informmeaboutthat.
Staywithmetotheend,theabsenceofsymptomsdoesn'tmeanthatyourmachineisfullyoperational.
Notethatwemayliveintotallydifferenttimezones,whatmaycausesomedelaysbetweenanswers.
DonotaskforhelpforyourbusinessPC.Companiesaremakingrevenueviacomputers,soitisgoodthingto
paysomeonetorepairit.
IfIdon'thearfromyouwithin3daysfromthisinitialoranysubsequentpost,thenthisthreadwillbeclosed.
Ican'tforeseeeverything,soifanythingunexpectedhappens,pleasestopandinformme!
Therearenosillyquestions.Neverbeafraidtoaskifindoubt!
https://forums.malwarebytes.org/index.php?/topic/161404buynsavekeepscomingback/
1/7
11/29/2014
Rulesandpolicies
Wewon'tsupportanypiracy.
Thatbeingtold,ifanyevidenceofillegalOS,software,cracks/keygensoranyotherwillberevealed,anyfurther
assistancewillbesuspended.Ifyouareawarethatthereisthiskindofstuffonyourmachine,removeitbefore
proceeding!
ThesameappliestoanyuseofP2Psoftware:uTorrent,BitTorrent,Vuze,Kazaa,Ares...Wedon'tprovideanyhelp
forP2P,exceptfortheirremoval.AllP2Psoftwarehastobeuninstalledoratleastfullydisabledbeforeproceeding!
Failuretofollowtheseguidelineswillresultwithclosingyourtopicandwithdrawningany
assistance.
ScanwithZOEK
PleasedownloadZOEK(http://hijackthis.nl/smeenk/)bySmeenkandsaveittoyourdesktop(preferredversionis
the*.exeone)
TemporarydisableyourAntiVirusandAntiSpywareprotectioninstructionshere
(http://www.bleepingcomputer.com/forums/topic114351.html).
createsrpoint
autoclean
emptyalltemp
ipconfig/flushdnsb
Rightclickon
iconandselect RunasAdministratortostartthetool.
Waitpatientlyuntilthemainconsolewillappear,itmaytakeaminuteortwo.
Inthemainboxpleasepasteinthefollowingscript:
MakesurethatScanAllUsersoptionischecked.
PushRunScriptandwaitpatiently.Thescanmaytakeacoupleofminutes.
Whenthescancompletes,azoekresultslogfileshouldopeninnotepad.
Ifarebootisneeded,itwillbeopenedafterit.Youmayalsofinditatyourmaindrive(usuallyC:\drive)
Postitscontentintoyournextreply.
Posted25November201411:25AM
exor15
HereisthecontentsoftheZoekresultsfile:
Zoek.exev5.0.0.0Updated24112014
ToolrunbyBradleyonTue11/25/2014at9:59:01.36.
MicrosoftWindows8.16.3.9600x64
Runningin:NormalModeInternetAccessDetected
Launched:C:\Users\Bradley.Steve\Desktop\zoek.exe[Scanallusers][Scriptinserted]
====SystemRestoreInfo======================
11/25/201410:01:33AMZoek.exeSystemRestorePointCreatedSuccesfully.
====EmptyFoldersCheck======================
C:\PROGRA~2\AGEIATechnologiesdeletedsuccessfully
C:\ProgramFiles\Symantecdeletedsuccessfully
C:\PROGRA~3\Validitydeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Roaming\UpdaterEXdeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Conduitdeletedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\CREdeletedsuccessfully
====DeletingCLSIDRegistryKeys======================
2/7
11/29/2014
====DeletingCLSIDRegistryValues======================
====DeletingServices======================
====BatchCommand(s)RunByTool======================
====DeletingFiles\Folders======================
C:\PROGRA~3\anedobhlebhmncaighndllippdfnfnffdeleted
C:\Users\Bradley.Steve\AppData\LocalLow\Conduitdeleted
C:\PROGRA~2\Wondersharedeleted
C:\PROGRA~2\COMMON~1\Wondersharedeleted
C:\Users\Bradley.Steve\AppData\Roaming\WB.CFGdeleted
C:\PROGRA~3\PackageCachedeleted
C:\Users\Bradley.Steve\AppData\Local\Astromendadeleted
C:\Users\Bradley.Steve\AppData\Local\Wondersharedeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\ShoppingandServicesdeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Wondersharedeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Search.lnkdeleted
C:\ProgramData\Microsoft\Windows\StartMenu\Programs\Startup\McAfeeSecurityScanPlus.lnkdeleted
C:\WINDOWS\SysNative\config\systemprofile\Searchesdeleted
C:\windows\SysNative\GroupPolicy\Userdeleted
C:\WINDOWS\Syswow64\GroupPolicy\gpt.inideleted
====FirefoxExtensionsRegistry======================
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"{2D3F365174B94795BDEC6DA2F431CB62}"="C:\ProgramData\Norton\{0C55C0960F1D4F28AAA2
85EF591126E7}\NIS_20.0.0.136\coFFPlgn"[11/24/201403:00PM]
====FakeChromiumProfilesCheck======================
FakeprofileC:\Users\Bradley.Steve\AppData\Local\Google\ChromeSxSdeleted
====ChromiumLook======================
HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
bejnhdlplbjhffionohbdnpcbobfejccC:\ProgramFiles(x86)\NortonInternet
Security\Engine\20.5.0.28\Exts\Chrome.crx[04/29/201406:31AM]
kanflfepiobnpjbljmngfgegijhdpljmC:\ProgramFiles(x86)\HPSimplePass\tschrome.crx[04/01/201301:25AM]
HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\Extensions
apdfllckaahabafndbhieahigkjlhalf
C:\Users\Bradley.Steve\AppData\Local\Google\Drive\apdfllckaahabafndbhieahigkjlhalf_live.crx[04/14/2014
07:19PM]
GoogleVoiceSearchHotword(Beta)Bradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
WebsiteLogonBradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kanflfepiobnpjbljmngfgegijhdpljm
RedditEnhancementSuiteBradley.Steve\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb
WebsiteLogonBradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\User
MixiDJV31Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\nmaikkamgfhkjbadgihldfmkpngkhgbb
GoogleVoiceSearchHotword(Beta)BRADLE~1.STE\AppData\Local\Google\Chrome\User
Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn
WebsiteLogonBRADLE~1.STE\AppData\Local\Google\Chrome\User
3/7
11/29/2014
RedditEnhancementSuiteBRADLE~1.STE\AppData\Local\Google\Chrome\User
Data\Default\Extensions\kbmfpngjjgdllneeigpgjifpgocmfgmb
WebsiteLogonBRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\User
MixiDJV31BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\User
Data\Default\Extensions\nmaikkamgfhkjbadgihldfmkpngkhgbb
====ChromiumStartpages======================
C:\Users\Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Preferences
"homepage":"http://www.google.com/",(http://www.google.com/)
C:\Users\BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Preferences
"homepage":"http://www.google.com/",(http://www.google.com/)
====ChromiumFix======================
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Local
Storage\http_www.azlyrics.com_0.localstoragedeletedsuccessfully
Storage\http_www.azlyrics.com_0.localstoragejournaldeletedsuccessfully
Storage\https_www.superfish.com_0.localstoragedeletedsuccessfully
Storage\http_www.superfish.com_0.localstoragedeletedsuccessfully
Storage\https_services.tamu.edu_0.localstoragedeletedsuccessfully
====SetIEtoDefault======================
OldValues:
[HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main]
"StartPage"="http://www.google.com"(http://www.google.com)
NewValues:
[HKEY_CURRENT_USER\Software\Microsoft\InternetExplorer\Main]
"StartPage"="http://www.google.com"(http://www.google.com)
====AllHKCUSearchScopes======================
HKEY_CURRENT_USER\SOFTWARE\Microsoft\InternetExplorer\SearchScopes
"DefaultScope"="{0633EE93D776472fA0FFE1416B8B2E3A}"
{012E1000F33111DB83140800200C9A66}GoogleUrl="http://www.google.co...={searchTerms}"
(http://www.google.com/search?q=%7BsearchTerms%7D)
{0633EE93D776472fA0FFE1416B8B2E3A}BingUrl="http://www.bing.com/...ox&FORM=IESR02"
(http://www.bing.com/search?q=%7BsearchTerms%7D&src=IESearchBox&FORM=IESR02)
====DeletingRegistryKeys======================
HKEY_LOCAL_MACHINE\Software\wow6432node\Policies\Googledeletedsuccessfully
====EmptyIECache======================
C:\WINDOWS\system32\config\systemprofile\AppData\Local\Microsoft\Windows\TemporaryInternet
Files\Content.IE5emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Content.IE5emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5emptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Content.IE5emptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Low\Content.IE5emptiedsuccessfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5
emptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\IEemptiedsuccessfully
4/7
11/29/2014
C:\Users\Bradley.Steve\AppData\Local\Microsoft\Windows\INetCache\Low\IEemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\IEemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Microsoft\Windows\INetCache\Low\IEemptiedsuccessfully
C:\WINDOWS\SysNative\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IEemptied
successfully
====EmptyFireFoxCache======================
NoFireFoxProfilesfound
====EmptyChromeCache======================
C:\Users\Bradley.Steve\AppData\Local\Google\Chrome\UserData\Default\Cacheemptiedsuccessfully
C:\Users\Bradley.Steve\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Cacheemptied
successfully
C:\Users\BRADLE~1.STE\AppData\Local\Google\Chrome\UserData\Default\Cacheemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\SonyCorporation\Some\Chromium\UserData\Default\Cacheemptied
successfully
====EmptyAllFlashCache======================
FlashCacheEmptiedSuccessfully
====EmptyAllJavaCache======================
JavaCacheclearedsuccessfully
====C:\zoek_backupcontent======================
C:\zoek_backup(files=1117folders=152264532368bytes)
====EmptyTempFolders======================
C:\Users\Bradley.Steve\AppData\Local\Tempwillbeemptiedatreboot
C:\Users\Default\AppData\Local\Tempemptiedsuccessfully
C:\Users\DefaultUser\AppData\Local\Tempemptiedsuccessfully
C:\Users\BRADLE~1.STE\AppData\Local\Tempwillbeemptiedatreboot
C:\WINDOWS\serviceprofiles\networkservice\AppData\Local\Tempemptiedsuccessfully
C:\WINDOWS\serviceprofiles\Localservice\AppData\Local\Tempemptiedsuccessfully
C:\WINDOWS\Tempwillbeemptiedatreboot
====AfterReboot======================
====EmptyTempFolders======================
C:\WINDOWS\Tempsuccessfullyemptied
C:\Users\BRADLE~1.STE\AppData\Local\Tempsuccessfullyemptied
====EmptyRecycleBin======================
C:\$RECYCLE.BINsuccessfullyemptied
====EOFonTue11/25/2014at10:15:12.10======================
TwinHeadedEagle
Verygood.Anyprogress?
ScanwithFarbarRecoveryScanTool
5/7
11/29/2014
PleasererunFarbarRecoveryScanTooltogivemeafreshlookatyoursystem.
Rightclickon
iconandselect RunasAdministratortostartthetool.
(XPusersclickrunafterreceiptofWindowsSecurityWarningOpenFile).
MakesurethatAdditionoptionischecked.
PressScanbuttonandwait.
Thetoolwillproducetwologfilesonyourdesktop:FRST.txtandAddition.txt.
Pleaseincludetheircontentintoyournextreply.
exor15
Theextensionappearstohavenotcomeback,butIranFarbaragainsohere'sthelogs.
AttachedFiles
Addition.txt(https://forums.malwarebytes.org/index.php?
FRST.txt(https://forums.malwarebytes.org/index.php?
TwinHeadedEagle
Good.LastthingtodoistoreinstallGoogleChrome.Tellmeiseverythingfinenow,sowecanfinish?
exor15
Everythinglooksgood!Thanksman,appreciateit!
TwinHeadedEagle
GladIcouldhelp.WewilldeleteallusedtoolsandI'llgiveyousometipstohardenyoursecurityandlearnhowto
protectyourself
Recommendedreading:
MUSTREADsecuritytips:
ComputerSecurityashortguidetostayingsaferonline.
(http://www.malwareremoval.com/forum/viewtopic.php?p=557960#p557960)
SimpleandeasywaystokeepyourcomputersafeandsecureontheInternet
(http://www.bleepingcomputer.com/tutorials/keepyourcomputersafeonline/)
MUSTREADgeneralmaintenance:
WhattodoifyourComputerisrunningslowly?
(http://www.malwareremoval.com/tutorials/runningslowly.php)
TheImportanceofSoftwareUpdating:
Inordertostayprotecteditisveryimportantthatyouregularlyupdateallofyoursoftware.Cybercriminals
dependontheapathyofusersaroundsoftwareupdatestokeeptheirmaliciousendeavorrunning.
Operatingsystems,suchasWindows,andapplications,suchasAdobeReaderorJAVA,areusedbytensofmillionsof
6/7
11/29/2014
computersanddevicesaroundtheworld,makingthemahugetargetforcybercriminals.Downloadingupdatesand
installingthemcansometimesbetedious,buttheadvantagesyougetfromtheupdatesarecertainlyworthit.
HowtoconfigureanduseAutomaticUpdatesinWindows(http://support.microsoft.com/kb/306525)
HowtoupdateJava(http://www.hamilton.edu/its/rc/howtoinstalljavawindowsxpvista78)
HowtoupdateAdobeReader(http://www.ehow.com/how_5233161_upgradeadobereader.html)
Recommendedadditionalsoftware:
TFC(http://www.geekstogo.com/forum/files/file/187tfctempfilecleanerbyoldtimer/)tocleanunneeded
temporaryfiles.
Malwarebytes'AntiMalware(http://www.malwarebytes.org/)toscanyoursystemfromtimetotimein
searchformalware.
Malwarebytes'AntiExploit(https://www.malwarebytes.org/antiexploit/)topreventplentyofmostly
exploitedvulnerabilities.
McShield(http://www.mcshield.net/)topreventinfectionsspreadbyremovablemedia.
Unchecky(http://unchecky.com/)topreventfrominstallingadditionalfoistware,implementedinlegitimate
installations.
FiheHippo.comUpdateChecker(http://filehippo.com/updatechecker)tokeepyourprogramsuptodate.
Adblock(https://adblockplus.org/en/chrome)tosurfthewebwithoutannoyingads!
Postcleanupprocedures:
DownloadDelFix(http://generalchangelogteam.fr/fr/downloads/finish/20outilsdexplode/9delfix)byXplode
andsaveittoyourdesktop.
Runthetoolbyrightclickonthe
iconandRunasadministratoroption.
Makesurethattheseonesarechecked:
Removedisinfectiontools
Purgesystemrestore
Resetsystemsettings
PushRun.
Theprogramwillrunforafewsecondsanddisplayanotepadreport.Youdonotneedtoattachit.
ThetoolwillalsorecordhealthystateofregistryandmakeabackupusingERUNTprogramin%windir%\ERUNT\DelFix
Tooldeletesoldsystemrestorepointsandcreateafreshsystemrestorepointaftercleaning.
Myhelpisfreeforeverybody.
Ifyou'rehappywiththehelpprovidedand/orwishtobuymeabeerfortheassistanceyoureceived,thenyoucan
consideradonation:
(http://goo.gl/XIT114)
Thankyou!
Staysafe,
TwinHeadedEagle
BacktoMalwareRemovalHelp
MalwarebytesForum MalwareRemovalSupport MalwareRemovalHelp
7/7

BuyNSave Keeps Coming Back

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BuyNSave Keeps Coming Back

Uploaded by

Copyright:

Available Formats

11/29/2014

MalwarebytesForum MalwareRemovalSupport MalwareRemovalHelp

MalwarebytesForum MalwareRemovalSupport MalwareRemovalHelp

You might also like