Hi !

Unfortunately I got trapped by some malware, AdwCleaner removed nearly all of it. But somewhere there's still something hidden where at least IE11 is still responding to.

Sometimes when clicking in an empty area of a websites page (where no links are visible), a new tab opens, showing that the URL hxxp://www.smartnewtab.com is opened, leading to an other website with crap.

AdwCleaner in the last version discovered problems like a link to trustedsites.com (as it was called so far I remember now), but this other problem still exists.

I also use Firefox sometimes, till now I didn't experience the problem there. But as it does also not always occure in IE, I'm not sure if its hidden there too.

THanks in advance, Klaus

Re: smartnewtab.com

Hello knatterton_nick,

Can you please post the log file of AdwCleaner ? You can find it in C\AdwCleaner\AdwCleaner[SX].txt, where X is a number.

To understand what's happening on your conputer, can you use ZHPDiag :

  • Download ZHPDiag from Nicolas on his website.
  • Then run it with administrator's rights (with right click).
  • Then upload the log file on up2share.
  • Then post the link in your reply.

With that log file we will be able to understand what's happening.

Chapi

Re: smartnewtab.com

Hi !

Here is the last Adw-Log:

# AdwCleaner v5.109 - Bericht erstellt am 09/04/2016 um 02:21:55
# Aktualisiert am 04/04/2016 von Xplode
# Datenbank : 2016-04-07.1 [Server]
# Betriebssystem : Windows 7 Professional Service Pack 1 (x64)
# Benutzername : MainAdmin - KR-WS
# Gestartet von : C:\Users\Public\Documents\adwcleaner_5.109.exe
# Option : Suchlauf
# Unterstützung : http://toolslib.net/forum

***** [ Dienste ] *****

***** [ Ordner ] *****

***** [ Dateien ] *****

***** [ DLL ] *****

***** [ Verknüpfungen ] *****

***** [ Aufgabenplanung ] *****

***** [ Registrierungsdatenbank ] *****

***** [ Internetbrowser ] *****

*************************

\AdwCleaner\AdwCleaner[C1].txt - [1226 Bytes] - [09/04/2016 02:03:13] \AdwCleaner\AdwCleaner[S1].txt - [1226 Bytes] - [09/04/2016 02:00:17] \AdwCleaner\AdwCleaner[S2].txt - [816 Bytes] - [09/04/2016 02:21:55]

########## EOF - \AdwCleaner\AdwCleaner[S2].txt - [886 Bytes] ##########

ZHP reported 3 Bugs, here is the link:

https://up2sha.re/file?f=ULwrt6scAp2s

 

Best regards, Klaus

Re: smartnewtab.com

Hi,

Ok, there is just some minor infections and a lot of softwares that I don't know, then I will have to make some research to find if some can be dangerous.

 

But before we do a script with ZHPFix, we are going to clean a little that computer :

  • Removing unuse or unknow softwares :
    • Please go to the Windows Tool to uninstall software (by configuration pannel > uninstall softwares)
    • Then removes the software that you don't use or don't know, and that don't belongs to any legit company, such as Microsoft, Adobe, Steam... If you any doubt, please just ask me :)
    • For example, do you use those softwares :
      • 1AVCenter
      • Akamai NetSession Interface
      • Advanced Installer 9.9 - (.Caphyon.)
      • ConvertHelper
      • Corel
      • DocMgr
      • eMusic Download Manager
      • LockHunter
      • Paragon
      • PDF Editor
      • ...

 

Then we will use ZHPCleaner, a tool from Nicolas Cleaner that might remove the last problem on IE :

  • Download ZHPCleaner, from Nicolas on his website.
  • Then run it with administrator's rights (with right click) .
  • Choose to scan and wait during the scan
  • At the end choose "Rapport", a log file should open, please copy it's content in your answer.

 

A+

Chapi

Re: smartnewtab.com

Hi !

Here is the last Adw-Log:


# AdwCleaner v5.109 - Bericht erstellt am 09/04/2016 um 02:21:55 # Aktualisiert am 04/04/2016 von Xplode # Datenbank : 2016-04-07.1 [Server] # Betriebssystem : Windows 7 Professional Service Pack 1 (x64) # Benutzername : MainAdmin - KR-WS # Gestartet von : C:\Users\Public\Documents\adwcleaner_5.109.exe # Option : Suchlauf # Unterstützung : http://toolslib.net/forum

***** [ Dienste ] *****

***** [ Ordner ] *****

***** [ Dateien ] *****

***** [ DLL ] *****

***** [ Verknüpfungen ] *****

***** [ Aufgabenplanung ] *****

***** [ Registrierungsdatenbank ] *****

***** [ Internetbrowser ] *****

*************************

\AdwCleaner\AdwCleaner[C1].txt - [1226 Bytes] - [09/04/2016 02:03:13] \AdwCleaner\AdwCleaner[S1].txt - [1226 Bytes] - [09/04/2016 02:00:17] \AdwCleaner\AdwCleaner[S2].txt - [816 Bytes] - [09/04/2016 02:21:55]

########## EOF - \AdwCleaner\AdwCleaner[S2].txt - [886 Bytes] ##########


ZHP reported 3 Bugs, here is the link:

https://up2sha.re/file?f=ULwrt6scAp2s

 

Best regards, Klaus

 

Re: smartnewtab.com

Should not press F5 ...

Re: smartnewtab.com

Hi !

What a quick reply and perfect support :-)

I do a cleanup of the installed software frequently, there should be not to much unknown.

Most of the programs you listed are installed since a while and known to me (some are quite famous like Corel or Paragon), only DocMgr is quite questionable - it isn't listed in the installed programs, and I can find it listed in the start menu.

I ran cCleaner to see if there are invalid registry entries for DocMgr, but couldn't find any (found invalid entries for a software named Disk Drill ...), so at the moment I could only search the registry for the word "DocMgr" and remove all keys which I can find with this. No other idea at the moment :-) But I will only do so if you recommend that.

Here's the result of ZPHCleaner:


~ ZHPCleaner v2016.4.8.52 by Nicolas Coolman (2016/04/08) ~ Run by kr (Administrator)  (09/04/2016 17:09:11) ~ Site : http://www.nicolascoolman.com ~ Facebook : https://www.facebook.com/nicolascoolman1 ~ State version : Version OK ~ Type : Scanner ~ Report : C:\Users\kr\Desktop\ZHPCleaner.txt ~ Quarantine : C:\Users\kr\AppData\Roaming\ZHP\ZHPCleaner_Quarantine.txt ~ UAC : Activate ~ Boot Mode : Normal (Normal boot) Windows 7 Professional, 64-bit Service Pack 1 (Build 7601)

---\\  Dienst. (0) ~ Alle bösartigen oder unnötige Element gefunden.

---\\  Browser. (1) GEFUNDEN Daten: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride [Bad : <local>]  =>Hijacker.Proxy

---\\ Datei Host. (1) ~ die Hostdatei ist legitim. (21)

---\\  Geplante Tasks (0) ~ Alle bösartigen oder unnötige Element gefunden.

---\\  Explorer (Ordner, Dateien). (31) GEFUNDEN Datei: C:\Users\kr\Desktop\MyPhoneExplorer portable\MyPhoneExplorer portable.exe [F.J. Wechselberger - MyPhoneExplorer]  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\Desktop\MyPhoneExplorer portable\Data  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\Desktop\MyPhoneExplorer portable\DLL  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\Desktop\MyPhoneExplorer portable\holidays  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\Desktop\MyPhoneExplorer portable\languages  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\Desktop\MyPhoneExplorer portable  =>.Superfluous.FJWechselberger GEFUNDEN Ordner: C:\Users\kr\AppData\Local\CrashRpt\UnsentCrashReports  =>.Superfluous.CrashReports GEFUNDEN Ordner: C:\Users\kr\AppData\Local\CrashRpt  =>.Superfluous.CrashReports GEFUNDEN Ordner: C:\Windows\Installer\MSI38BF.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI405C.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI45A6.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI473E.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI4905.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI4B9D.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI4CD3.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI54B3.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI5667.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI5D7F.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI6722.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI6.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI79A8.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI85D9.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSI9B32.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIB54A.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIBA54.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSID6D4.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIDAD8.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIE081.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIE6E9.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIF113.tmp-  =>Empty GEFUNDEN Ordner: C:\Windows\Installer\MSIF1AD.tmp-  =>Empty

---\\  Registrierung (Schlüssel, Werte, Daten). (10) GEFUNDEN key: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\dll-files.com []  =>PUP.Optional.DllFilesFixer GEFUNDEN key: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.audienceinsights.net [43]  =>.Superfluous.AudienceInsights GEFUNDEN key: HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\static.olark.com [21127]  =>PUP.Optional.Generic GEFUNDEN key: [X64] HKLM\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} [secman]  =>Trojan.Camec GEFUNDEN key: [X64] HKLM\SOFTWARE\Classes\LancomConfigFile [LANconfig Konfiguration]  =>Adware.Navipromo GEFUNDEN key: [X64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\lanconf.exe [C:\Program Files (x86)\LANCOM\LANconfig\lanconf.exe]  =>Adware.Navipromo GEFUNDEN key: [X64] HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5} [ITool]  =>Toolbar.Ask GEFUNDEN key: [X64] HKLM\SOFTWARE\Wow6432Node\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56} [secman]  =>Trojan.Camec GEFUNDEN key: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{48EAAAE9-F628-E8C2-91E9-72B13D43FFC5} [Microsoft Corporations]  =>Heuristic.Suspect GEFUNDEN key: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\lanconf.exe [C:\Program Files (x86)\LANCOM\LANconfig\lanconf.exe]  =>Adware.Navipromo

---\\  Zusammenfassung der Elemente gefunden auf Ihrer workstation (10)http://www.nicolascoolman.fr/?p=4664  =>Hijacker.Proxyhttp://www.nicolascoolman.fr/?p=5145  =>.Superfluous.FJWechselbergerhttp://www.nicolascoolman.fr/?p=5145  =>.Superfluous.CrashReportshttp://www.nicolascoolman.fr/pup-optional-dllfilesfixer/  =>PUP.Optional.DllFilesFixerhttp://www.nicolascoolman.fr/?p=5145  =>.Superfluous.AudienceInsightshttp://www.nicolascoolman.fr/?p=4664  =>PUP.Optional.Generichttp://www.nicolascoolman.fr/?p=4664  =>Trojan.Camechttp://www.nicolascoolman.fr/?p=965  =>Adware.Navipromohttp://www.nicolascoolman.fr/?p=235  =>Toolbar.Askhttp://www.nicolascoolman.fr/?p=4664  =>Heuristic.Suspect

---\\Reparieren Check ~ keine Reparaturen. ~ dieser Browser fehlt (Google Chrome) ~ dieser Browser fehlt (Opera Software)

---\\Statistiken ~ Elemente gescannt : 121411 ~ Einträge gefunden : 42 ~ Elemente abgesagt : 0 ~ Elemente repariert : 0

~ End of search in 00h16mn44s =================== ZHPCleaner-[S]-09042016-17_25_55.txt


Short comment on the results:

LANCOM basically is a bigger supplier of industrial WLAN equipment, MyPhoneExplorer is a tool to access AndroidPhones from a Windows PC.

Thank you again, Klaus

Re: smartnewtab.com

Hi :)

I do a cleanup of the installed software frequently, there should be not to much unknown.

Most of the programs you listed are installed since a while and known to me (some are quite famous like Corel or Paragon), only DocMgr is quite questionable - it isn't listed in the installed programs, and I can find it listed in the start menu.

I ran cCleaner to see if there are invalid registry entries for DocMgr, but couldn't find any (found invalid entries for a software named Disk Drill ...), so at the moment I could only search the registry for the word "DocMgr" and remove all keys which I can find with this. No other idea at the moment :-) But I will only do so if you recommend that.

If you do a frequend cleaning and that you stay attentive to what you install, that's perfect.

I will include DocMgr in the ZHPFix to remove it if you don't want it :)

 

Now let's analyse this ZHPCleaner scan :

LANCOM basically is a bigger supplier of industrial WLAN equipment,

You are right, that looks like an False Positive, to be sure before informing Nicolas Coolman, can you scan this file with VT :

  • Go on VirusTotal.com
  • Clic on Choose file
  • Brose to C:\Program Files (x86)\LANCOM\LANconfig\lanconf.exe
  • Then clic on Scan It
  • If ask, choose to reanalalyse the file.
  • Then post the link in your answer.

 

MyPhoneExplorer is a tool to access AndroidPhones from a Windows PC.

I'm curious, why do you need a tool to access AndroidPhones ?

 

GEFUNDEN key: [X64] HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{48EAAAE9-F628-E8C2-91E9-72B13D43FFC5} [Microsoft Corporations]  =>Heuristic.Suspect

It's linked to Windows SDK EULA, so you might want to keep it :)

 

Then you can scan again with ZHPCleaner, uncheck all the elements you want to keep : Lancom/ MyPhoneExplorer and Windows SDK EULA. And then choose to remove what remain.

 

Finally, we will use a final software to scan your computer before the end :

  • Download Malwarebytes Anti-Malware.
  • Install it with default options, but be sure to uncheck the activation of MBAM Premium
  • On the Analysis tab, select Threat analysis
  • If it find something, choose to delete it.
  • After the reboot of the computer, restart Malwarebytes
  • Go to the History and find the last log of scan
  • Choose to export it in *.txt and post it content in your answer

A+

Chapi

Re: smartnewtab.com

Good morning !

To your suggestions:

Removing DocMgr would of course be fine !

lanconf.exe is checked, false positive :-)

MyPhoneExplorer: Used it two times till now to get the SMS archive on the PC, what is a special task ;-)

ZHPCleaner: Ran it, removed the threats. But I noticed two strange behaviors when runing ZHPCleaner - first I started it when IE and Firefox were active (which were reported to be closed), I closed them both (ended the processes to be able to open all tabs wehn restarting) and ZHPCleaner was through within a few seconds, reporting only one bug which I removed. So I restarted ZHPCleaner, this time it found all problems after a normal long scan, I also removed them. To make sure that everything was done (but not the excluded points) I did a third scan, which leads me to the second unexpected behavior. I clicked/opened the repair function/window, showing only the excluded points. I was satisfied, clicked the closing-X in the upper right corner of the window - and the repair started and removed the excluded points to :-( I found all removed registry entries in the log and the file with the exported Microsoft registry and imported it, so the repair is undone; and MyPhoneExplorer can be downloaded again :-)

One question to MalwareBytes before installing it: I have MS Security Essentials installed, won't there be a problem defending one another (and making the PC nearly unuseable) when both are active ? I experienced this problem once before with other scanners ...

Best regards, Klaus

Re: smartnewtab.com

Hi Klaus,

 

I will inform the developper of ZHPCleaner that the soft have some weird behaviour. Do you want any help to restore some files ? ZHPCleaner has got a quarantine :)

 

One question to MalwareBytes before installing it: I have MS Security Essentials installed, won't there be a problem defending one another (and making the PC nearly unuseable) when both are active ? I experienced this problem once before with other scanners ...

That a good question :) In fact, MalwareBytes has got two differents behaviour depending on the setting, and if you active the Premium version.

With the Premium version, it works has a permanent scanner, like an antivirus. And therefore it might enter in conflict with MSE. But if you uncheck that, it just do scan when you ask for, and then it can be compared to ZHPDiag or AdwCleaner.

Then don't worry, you can go with MBAM without the premium version.

Have a nice sunday :)

Chapi

Re: smartnewtab.com

Hello Chapi,

here's my update on the last work:

I found the quarantine (MBAM too ;-), everything restored, no problem, thank you !

And MBAM (was busy the whole day long, more than a million files ... but no interference with SE ) detected several more entries in the registry, one js in Firefox and a Trojan whith Security Essentials already disposed in the trash. So nothing active and heavily threatening, so far so good !

Till now no more new unwanted tabs opened in IE, seems your help was great and very efficient - I hope my experiences help others, or help to make your tools a little more perfect !

My best wishes for now, Klaus

Re: smartnewtab.com

Hello Klaus,

I'm glad I could help.

And thank you for your feedbacks on the tools.

Chapi

Re: smartnewtab.com

Hello Chapi !

Celebrated to early - smartnewtab.com still opens occansionally in IE :-(

I ran a scan an hour ago with the newest versions of ZHPDiag and ZHPCleaner, both could only find the false positives which they also discovered the last days, logs are available if they are helpful for you.

Thank you again, Klaus

Re: smartnewtab.com

Hi,

Well, bad news.

As ZHPCleaner, ZHPDiag, ADWCleaner and MBAM don't find from where comes thoses pop-ups, we will have to remove it manually !

To do that, we will reset all the preferencies of Internet Explorer, and I can give you better explanation that what is explained on this microsoft description. With choising to Delete personal settings (step 5 of the tutorial).

Then please tell me if it succefully manage to remove all your problems.

Good luck,

Chapi

Re: smartnewtab.com

Hi, me once more :-)

It seems reseting IE solved the problem, after it no more strange tab opening happend in IE till now.

Would have been interesting where the problem was hidden in IE and how it could have been removed, but this also seems to work - thank you for your help !

Have a nice weekend,

Klaus

Re: smartnewtab.com

Hi,

You are right, we could have invest about what was creating those pop-ups. In fact a search on the registry with the url of the pop-ups could have worked since a great part of the IE configuration is set under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer.

We will do that next time !

 

Some recommendations, as Internet Explorer is not really consider as the safer web browser, I would higthly recommand you to install AdBlock Plus and to be sure your plugins are update, especially Flash, Java and Adobe reader.

If you need any help or have any question, just let me know.

Have a nice week-end,

Chapi