Solved adware from filehippo.com taking over my Windows 7 laptop

Hewlett-packard / P7-1436s
August 29, 2015 at 13:47:38
Specs: Win10, 3.0 ghz/6 Gigs RAM
My WIN7 laptop is almost unusable due to adware obscuring the screen. I usually go to filehippo for stuff but now it is alleged that they are implanting adware too. Additionally, multiple windows are opening. I am about ready to restore to factory is I cannot come up with a solution.

See More: adware from filehippo.com taking over my Windows 7 laptop

Report •

#1
August 29, 2015 at 14:06:49
✔ Best Answer
These three freebies are very good to start the ball rolling. With luck they will clear the decks sufficiently to make it easier for you take things further. Run them in the order given:

AdwCleaner:
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Cleaning" button.

Junkware Removal Tool (JRT)
http://www.bleepingcomputer.com/dow...
(blue Download button near top - not anything else on the page).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/downlo...
Download the free version.
Install and Run the program but before doing its Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here, even if the symptoms are cleared.

[An aside. It may be that filehippo is OK as long as you are careful not to install other things on the page. It is not unusual for websites to try to fool you into downloading the wrong thing. If you attempt to save the file it will often indicate just what you are getting. It is always best to Save Files rather than installing online]

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#2
August 29, 2015 at 15:56:10
Also.. Whenever you install "anything" off the web, "never" install it via the default "automatic (or similar) option. Use the "manual/custom" option. This will allow you to carefully observe, note and then uncheck all those little boxes so "helpfully prechecked for your convenience". These prechecked boxes invariably install all manner of stuff, you neither need nor want. Some will take over the browser, some make other unwanted changes to the system, some result in numerous popups various - to name but three groups.

Sadlly just abut "all" utilities download sites now try to bundle and slip all manner of junk into the setup. They count on one not noticing them - by encouraging one to use the autotamic insatll path; whereas the manual/custom is the option to use.

Also many sites have download links very close to, and often nearly identical to the one you want. But these other links are again to nuisance downloads etc.. As JohnW advises be careful which download button/link you choose...


Report •

#3
August 29, 2015 at 16:01:51
Adendum... Rebgardless of the current situation, ensure you have copied/duplicated all your files to external storage. Typically DVD, another external hard drive too is nice(r). This ensures that if you do decide to do a factory reset/restore your files are safe off the system. Equally if for whatever reasons you can't access the ystem, again your files are safe elsewhere.

Factory reset/restore erases all your personal files/data in the process; so as above safeguard them prior to any factory reset routines.


Report •

Related Solutions

#4
August 31, 2015 at 08:47:40
Thanks to all. The above did not get rid of Magical Find but did remove all the others. I got onto Avast Removal Tool which did take care of Magical Find. My laptop is now running fine. From now on, custom installation and I will read carefully. Again, thanks.

Report •

#5
August 31, 2015 at 09:03:04
Correction - Avast Browser Cleanup - proper name. Thx.

Report •

#6
August 31, 2015 at 12:23:55
You would likely need more processes to ensure the computer was properly clean.

Always pop back and let us know the outcome - thanks


Report •

#7
August 31, 2015 at 17:47:45
Just to make sure you have got rid of everything, I can go through these logs for the lurking bits.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt).
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Report •

#8
September 2, 2015 at 13:27:30

Report •

#9
September 2, 2015 at 17:16:14
Here you are Mike.

Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> URL hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {21A09A26-3F3C-4786-97CB-7495A1C6C36A} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> Backup.Old.DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> OldSearch URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> {21A09A26-3F3C-4786-97CB-7495A1C6C36A} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Homepage: hxxp://www.foxnews.com/
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]

Run FRST/FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.


Report •

#10
September 3, 2015 at 09:28:42
johnw: How do I get the tool to run? I saved it as directed and typed fixlist.txt in to Run and it just opened the document.

Report •

#11
September 3, 2015 at 10:35:00
Let's see if we can move this forward so that it is ready for Johnw when he returns. It is all there in the instructions John gave you but maybe this will clarify it further. You might have already done some of this:

1. Download either "Farbar 32 bit version (FRST)" or "Farbar 64 bit version (FRST64)" depending on your computer.

2. Whichever version you download ensure its file is on the "desktop". If it is elsewhere them move it to the desktop.

3. Highlight and "Copy" all of the blue text in response #9.

4. Open NotePad then "Paste" into it. The text from 3. above should arrive.

5. Save this new NotePad file with the name fixlist.txt and ensure it is on the "desktop".

6. You then double click FRST (or FRST64) to run it.

7. This will produce a file "Fixlog.txt" on the desktop (see all the green writing at end of post #9).

8. Copy and Paste the contents of "Fixlog.txt" into your reply.

Always pop back and let us know the outcome - thanks

message edited by Derek


Report •

#12
September 3, 2015 at 11:40:34
OK, I got it. I didn't have FRST64 on my desktop - Fixlog.txt
Fix result of Farbar Recovery Scan Tool (x64) Version:31-08-2015
Ran by Michael (2015-09-03 14:30:56) Run:1
Running from C:\Users\Michael\Desktop
Loaded Profiles: Michael (Available Profiles: Michael)
Boot Mode: Normal
==============================================

fixlist content:
*****************
closeprocesses:
emptytemp:
AlternateDataStreams: C:\ProgramData\Temp:5C321E34
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> URL hxxp://search.yahoo.com/yhs/search?hspart=ddc&hsimp=yhs-ddc_bd&type=bl-bir-sw-rhb-35__alt__ddc_dss_bd_com&p={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope value is missing
SearchScopes: HKLM-x32 -> Backup.Old.DefaultScope {9BB47C17-9C68-4BB3-B188-DD9AF0FD21}
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {21A09A26-3F3C-4786-97CB-7495A1C6C36A} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> Backup.Old.DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> OldSearch URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> {21A09A26-3F3C-4786-97CB-7495A1C6C36A} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us2-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-2/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File
Toolbar: HKU\S-1-5-21-2626068928-3004472685-795898619-1001 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
FF Homepage: hxxp://www.foxnews.com/
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
*****************

Processes closed successfully.
C:\ProgramData\Temp => ":5C321E34" ADS removed successfully.
"HKLM\SOFTWARE\Policies\Google" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\URL => value removed successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{21A09A26-3F3C-4786-97CB-7495A1C6C36A}" => key removed successfully
HKCR\Wow6432Node\CLSID\{21A09A26-3F3C-4786-97CB-7495A1C6C36A} => key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\Wow6432Node\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKU\S-1-5-21-2626068928-3004472685-795898619-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-2626068928-3004472685-795898619-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\Backup.Old.DefaultScope => value removed successfully
"HKU\S-1-5-21-2626068928-3004472685-795898619-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\OldSearch" => key removed successfully
HKCR\CLSID\OldSearch => key not found.
"HKU\S-1-5-21-2626068928-3004472685-795898619-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{21A09A26-3F3C-4786-97CB-7495A1C6C36A}" => key removed successfully
HKCR\CLSID\{21A09A26-3F3C-4786-97CB-7495A1C6C36A} => key not found.
"HKU\S-1-5-21-2626068928-3004472685-795898619-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D944BB61-2E34-4DBF-A683-47E505C587DC}" => key removed successfully
HKCR\CLSID\{D944BB61-2E34-4DBF-A683-47E505C587DC} => key not found.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
"HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => value removed successfully
HKCR\CLSID\{CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} => key not found.
HKU\S-1-5-21-2626068928-3004472685-795898619-1001\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value removed successfully
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => key not found.
Firefox "homepage" removed successfully
"HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
"HKLM\Software\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE" => key removed successfully
EmptyTemp: => 135.5 MB temporary data Removed.


The system needed a reboot..

==== End of Fixlog 14:31:14 ====

Rebooted


Report •

#13
September 3, 2015 at 14:25:55
"OK, I got it. I didn't have FRST64 on my desktop"
Thanks fellas.

Run DelFix. Copy & Paste the contents of the log please.
https://toolslib.net/downloads/view...
DelFix is designed to delete all removal tools used during a disinfection.
Indeed, these tools are often updated. It's recommended not to have and use outdated versions on computer.
Run the tool by right click on the DelFix icon and Run as administrator option.
Make sure that these are checked:
Activate UAC (optional; some users prefer to keep it off)
Remove disinfection tools
Create registry backup
Purge system restore
Reset system settings
Click Run and wait until the tool completes it's work.
Tool will create an report for you (C:\DelFix.txt)

message edited by Johnw


Report •

#14
September 3, 2015 at 18:24:46
Ran DelfFix. Didn't save the report. Laptop is running great. Thankyou again to all.

Report •

#15
September 3, 2015 at 18:45:40
Here is how a USER got these problems, no AV would have prevented USER error. Go to any Malware forum & no matter what AV they have installed, they got infected.

As you can see from your logs, you had a lot of stuff installed, that you do not know, how it got installed.
A lot of programs, now give you the choice to install toolbars & other during the install. Either uncheck these items during install, or use Custom install. No more click, click during an install, you have to read after each click.

WARNING: CNET Download.com downloads now come bundled with opt-out crapware and toolbars ( Same applies to Softonic & Brothersoft )
http://www.groovypost.com/unplugged...

I use Softpedia & FreewareFiles.com, they make you aware what Ad-supported programs the author of the program has included. In your case, it probably was ImgBurn.
http://win.softpedia.com/index.free...
http://www.freewarefiles.com/new_fi...
Sample pages
http://www.softpedia.com/get/CD-DVD...
First and foremost, extra attention needs to be paid during installation as ImgBurn offers to create desktop shortcuts to third-party apps, as well as install a browser toolbar onto the host computer, which are not required to ensure the smooth running of the app.
SS of above.
http://i.imgur.com/jgGYNsP.gif
http://i.imgur.com/rqSpp1e.gif
This is what ImgBurn tries to install.
http://i.imgur.com/ms4DzE9.gif
http://i.imgur.com/vVkd39a.gif
http://i.imgur.com/rqFVaHs.gif
http://i.imgur.com/sm1T7h6.gif
http://i.imgur.com/vhkKLYo.gif

Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies, so be vigilant.
http://www.softpedia.com/get/System...
http://www.freewarefiles.com/Unchec...
http://unchecky.com/
A reliable application that aims to protect your computer against third-party components often offered during software installations.


Report •

Ask Question