Posted January 17, 2015 Well just clicked on something I shouldn't have and now I have something called choiceforme.website popping up on Malwarebytes. Here is what it looks like when I open any browser... Does anyone know how to remove it??? It's on IE also. On PeerBlock it pops up as "EdgeCastNetworks,Inc, so i'm guessing its spyware?? Don't know much about this malware crap. Can anyone help? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Malwarebytes. You can probably remove this thing in settings too. Location: Kaunas, Lithuania, Europe, Earth, Solar System, Local Interstellar Cloud, Local Bubble, Gould Belt, Orion Arm, Milky Way, Milky Way subgroup, Local Group, Virgo Supercluster, Laniakea, Pisces–Cetus Supercluster Complex, Observable universe, Universe. Spoiler 12700, B660M Mortar DDR4, 32GB 3200C16 Viper Steel, 2TB SN570, EVGA Supernova G6 850W, be quiet! 500FX, EVGA 3070Ti FTW3 Ultra. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Malwarebytes. You can probably remove this thing in settings too. Ok, I ran PeerBlock as soon as it popped up and uninstalled all the crap it installed. Some of the programs were remote desktop crap so I'm hoping they didn't get anything out of my comp. I'm scanning with MWbytes right now and I'll see if it picks up anything... Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom.Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom. Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences. Yes, I've had that happen to me in the past. Chrome has so many settings I always forget to clear one of them and it always pops back up. Thanks for the list! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Another recommendation: I use Webroot SecureAnywhere, so if I install a something and it has adware like Pokki it will either block it and prevent it from opening or it will say it detected a virus, delete it, monitor it, and then rescan. Roses are red, violets are blue. I enjoy foruming on LinusTechTips too! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom. Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences. So I went through what you said and it doesn't seem to be cleaning the browsers. I found this though: http://www.malwaretips.org/how-to-remove-www-searching-com.html Do you think this is legit? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 So I went through what you said and it doesn't seem to be cleaning the browsers. I found this though: http://www.malwaretips.org/how-to-remove-www-searching-com.html Do you think this is legit? Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. Well I tried it through Chrome and couldn't get it to work, so I uninstalled and re-installed Chrome. IE on the other hand is not clearing it. I've ran MWbytes 3 times with PeerBlock open and closed just to make sure it wasn't giving the anti-malware any false positive type feedback. I'm wondering if I can uninstall IE and re-install it, but as I remember I think it is a .dll file or something weird that won't let you uninstall it completely. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. Also as far as the pop ups, I checked my installed programs as soon as I noticed something got installed on my machine. I then uninstalled every single one of them before they could take affect. I don't have any pop ups coming up and the only thing that is hassling me is the search engine on IE. (Cross my fingers it doesn't show up on Chrome again) Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Well it just popped up in Chrome again... FML! :wacko: Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Also as far as the pop ups, I checked my installed programs as soon as I noticed something got installed on my machine. I then uninstalled every single one of them before they could take affect. I don't have any pop ups coming up and the only thing that is hassling me is the search engine on IE. (Cross my fingers it doesn't show up on Chrome again) I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. I did select by date and put newest first. When I ran Mwb the first time it found 51 threats, it cleaned them and after I check it twice, once with peerblock on then another with peerblock off. Those two last times nothing popped up in Mwb, so to answer your question it does not keep reappearing. I checked Mwb and both PUP and PUM are considered threats but rootkits were not being scanned. I will scan again and keep you posted!! Thanks! Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. Re ran Mwb with rootkits selected and it still came up without any malware detected. Not sure what to do at this point... Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Re ran Mwb with rootkits selected and it still came up without any malware detected. Not sure what to do at this point... The webpage you linked seems correct. Option 1 is just the manual way of removing it. Though it is discouraging since option 3 is to use Malwarebytes. Do those registry keys they talk about exist for you? If so we can see if we can hunt down the parts the more difficult way. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author The webpage you linked seems correct. Option 1 is just the manual way of removing it. Though it is discouraging since option 3 is to use Malwarebytes. Do those registry keys they talk about exist for you? If so we can see if we can hunt down the parts the more difficult way. Well I looked at a couple of the registry keys but nothing I can understand really except for the obvious one.. http://imgur.com/lsTsE6I Don't know what the Octoshape client thing is... Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Well I looked at a couple of the registry keys but nothing I can understand really except for the obvious one.. http://imgur.com/lsTsE6I Don't know what the Octoshape client thing is... Go ahead and end the process for Octoshape. I'm sorting through the rest of them now Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Go ahead and end the process for Octoshape. I'm sorting through the rest of them now I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention? Like the ones that look exactly like this should only be deleted? HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random] HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random] or, the 6 items to the right in the registry folder?: http://imgur.com/Wix4Qxf Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention? Like the ones that look exactly like this should only be deleted? HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random] HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random] or, the 6 items to the right in the registry folder?: http://imgur.com/Wix4Qxf Something specific from within those folders. Please double check here before deleting anything in regedit. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 This is why common sense isn't enough. Accidents happen. Buy Malwarebytes. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention? Like the ones that look exactly like this should only be deleted? HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random] HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random] or, the 6 items to the right in the registry folder?: http://imgur.com/Wix4Qxf From the image you sent me of the running processes. There are 2 conhosts. Can you right click and select open file location and verify they are both from the system32 folder? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Also in the down time while I try to track down what some of those processes are related to it wouldn't hurt to try different Antiviruses and use the free 30 day trail of premium they give. One of the most aggressive ones I know of is Bitdefender. Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Something specific from within those folders. Please double check here before deleting anything in regedit. OK, so from what I've found these are what is inside 3 out of 4 of the registry folders: HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]: http://imgur.com/Wix4Qxf HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]: "non existant" HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]:http://imgur.com/cVwcGSc HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]:http://imgur.com/I6sX9Br Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author Also in the down time while I try to track down what some of those processes are related to it wouldn't hurt to try different Antiviruses and use the free 30 day trail of premium they give. One of the most aggressive ones I know of is Bitdefender. I'll try this, also what do you think about Nod 32? Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Posted January 17, 2015 Author From the image you sent me of the running processes. There are 2 conhosts. Can you right click and select open file location and verify they are both from the system32 folder? nvxdsync.exe: nothing happens when I try opening file location conhost.exe (without description) is not sys32, when I try to open file location nothing happens The second conhost.exe however is a sys 32 file Link to comment Share on other sites More sharing options... Link to post Share on other sites More sharing options...
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now