Faaaaaak! Malware!

[Mouse-Potato]

Well just clicked on something I shouldn't have and now I have something called choiceforme.website popping up on Malwarebytes.

 

 

Here is what it looks like when I open any browser...

 

 

Does anyone know how to remove it??? It's on IE also.

 

On PeerBlock it pops up as "EdgeCastNetworks,Inc, so i'm guessing its spyware??

 

Don't know much about this malware crap. Can anyone help?

[ZetZet]

Malwarebytes. You can probably remove this thing in settings too.

[Mouse-Potato]

Malwarebytes. You can probably remove this thing in settings too.

Ok, I ran PeerBlock as soon as it popped up and uninstalled all the crap it installed. Some of the programs were remote desktop crap so I'm hoping they didn't get anything out of my comp.

 

I'm scanning with MWbytes right now and I'll see if it picks up anything...

[tmlhalo]

For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. 
For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom.

Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences.

[Mouse-Potato]

For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. 

For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom.

Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences.

Yes, I've had that happen to me in the past. Chrome has so many settings I always forget to clear one of them and it always pops back up.

 

Thanks for the list!

[iLenovo]

Another recommendation: I use Webroot SecureAnywhere, so if I install a something and it has adware like Pokki it will either block it and prevent it from opening or it will say it detected a virus, delete it, monitor it, and then rescan.

[Mouse-Potato]

For IE: Gear icon for settings, internet options, advanced tab, reset internet explorer settings. 

For Chrome: 3 bars for settings, settings, show advanced settings, reset settings at bottom.

Just make sure you removed the malware otherwise i'll just keep changing your browser's preferences.

So I went through what you said and it doesn't seem to be cleaning the browsers. 

 

I found this though: http://www.malwaretips.org/how-to-remove-www-searching-com.html

 

Do you think this is legit?

[tmlhalo]

So I went through what you said and it doesn't seem to be cleaning the browsers. 

 

I found this though: http://www.malwaretips.org/how-to-remove-www-searching-com.html

 

Do you think this is legit?

Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. 

[Mouse-Potato]

Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. 

Well I tried it through Chrome and couldn't get it to work, so I uninstalled and re-installed Chrome.

 

IE on the other hand is not clearing it. I've ran MWbytes 3 times with PeerBlock open and closed just to make sure it wasn't giving the anti-malware any false positive type feedback.

 

I'm wondering if I can uninstall IE and re-install it, but as I remember I think it is a .dll file or something weird that won't let you uninstall it completely.

[Mouse-Potato]

Is it still coming up as your homepage even after you change it back to what you want? Any of the other pop ups being described there showing up? Trying to get an understanding if it is still installed and messing with your stuff or you just have to deal with the remnants. 

Also as far as the pop ups, I checked my installed programs as soon as I noticed something got installed on my machine. I then uninstalled every single one of them before they could take affect. I don't have any pop ups coming up and the only thing that is hassling me is the search engine on IE. (Cross my fingers it doesn't show up on Chrome again) 

[Mouse-Potato]

Well it just popped up in Chrome again... FML!  :wacko:

[tmlhalo]

Also as far as the pop ups, I checked my installed programs as soon as I noticed something got installed on my machine. I then uninstalled every single one of them before they could take affect. I don't have any pop ups coming up and the only thing that is hassling me is the search engine on IE. (Cross my fingers it doesn't show up on Chrome again) 

I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. 

[Mouse-Potato]

I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. 

I did select by date and put newest first.

 

When I ran Mwb the first time it found 51 threats, it cleaned them and after I check it twice, once with peerblock on then another with peerblock off. Those two last times nothing popped up in Mwb, so to answer your question it does not keep reappearing.

I checked Mwb and both PUP and PUM are considered threats but rootkits were not being scanned.

I will scan again and keep you posted!! Thanks! 

[Mouse-Potato]

I'd sort the uninstall a program by install date. Get rid of anything from today that you don't trust. It is still active so the internet browsers will just be changed by it after resetting them. They keep reappearing in Malwarebytes even after you select remove? In detection and prevention in Malwarebytes settings I'd make sure scan for root kits is checked as well as the other 2. Also the PUP and PUM settings for treat as malware. 

Re ran Mwb with rootkits selected and it still came up without any malware detected.

 

Not sure what to do at this point...

[tmlhalo]

Re ran Mwb with rootkits selected and it still came up without any malware detected.

 

Not sure what to do at this point...

The webpage you linked seems correct. Option 1 is just the manual way of removing it. Though it is discouraging since option 3 is to use Malwarebytes. Do those registry keys they talk about exist for you? If so we can see if we can hunt down the parts the more difficult way.

[Mouse-Potato]

The webpage you linked seems correct. Option 1 is just the manual way of removing it. Though it is discouraging since option 3 is to use Malwarebytes. Do those registry keys they talk about exist for you? If so we can see if we can hunt down the parts the more difficult way.

Well I looked at a couple of the registry keys but nothing I can understand really except for the obvious one..

 

http://imgur.com/lsTsE6I

 

Don't know what the Octoshape client thing is...

[tmlhalo]

Well I looked at a couple of the registry keys but nothing I can understand really except for the obvious one..

 

http://imgur.com/lsTsE6I

 

Don't know what the Octoshape client thing is...

Go ahead and end the process for Octoshape. I'm sorting through the rest of them now

[Mouse-Potato]

Go ahead and end the process for Octoshape. I'm sorting through the rest of them now

I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention?

 

Like the ones that look exactly like this should only be deleted?

HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]

 

or,

the 6 items to the right in the registry folder?:

http://imgur.com/Wix4Qxf

[tmlhalo]

I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention?

 

Like the ones that look exactly like this should only be deleted?

HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]

 

or,

the 6 items to the right in the registry folder?:

http://imgur.com/Wix4Qxf

Something specific from within those folders. Please double check here before deleting anything in regedit. 

[legend8887]

This is why common sense isn't enough. Accidents happen. Buy Malwarebytes.

[tmlhalo]

I'm at Step 2 where it says to delete related registry entries, not quite sure if I understand this the right way. Should I delete everything that is inside those file extensions or do I have to single down the exact one they mention?

 

Like the ones that look exactly like this should only be deleted?

HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]

 

or,

the 6 items to the right in the registry folder?:

http://imgur.com/Wix4Qxf

From the image you sent me of the running processes. There are 2 conhosts. Can you right click and select open file location and verify they are both from the system32 folder?

[tmlhalo]

Also in the down time while I try to track down what some of those processes are related to it wouldn't hurt to try different Antiviruses and use the free 30 day trail of premium they give. One of the most aggressive ones I know of is Bitdefender.

[Mouse-Potato]

Something specific from within those folders. Please double check here before deleting anything in regedit. 

 

OK, so from what I've found these are what is inside 3 out of 4 of the registry folders:

HKEY\_USERS\.DEFUALT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]: http://imgur.com/Wix4Qxf

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]: "non existant"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]:http://imgur.com/cVwcGSc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]:http://imgur.com/I6sX9Br

[Mouse-Potato]

Also in the down time while I try to track down what some of those processes are related to it wouldn't hurt to try different Antiviruses and use the free 30 day trail of premium they give. One of the most aggressive ones I know of is Bitdefender.

I'll try this, also what do you think about Nod 32?

[Mouse-Potato]

From the image you sent me of the running processes. There are 2 conhosts. Can you right click and select open file location and verify they are both from the system32 folder?

 

nvxdsync.exe: nothing happens when I try opening file location

 

conhost.exe (without description) is not sys32, when I try to open file location nothing happens

 

The second conhost.exe however is a sys 32 file