Solved

Cannot disable or remove Browser helper objects

Posted on 2015-02-01
22
1,270 Views
Last Modified: 2015-02-04
A customer is having problems with Pop-ups in IE11, Firefox, and Chrome.  I have run Malwarebytes, Superantispyware, junkware removal tool and ADWcleaner.  And, I have manually uninstalled all of the trashware that I could find.

I am still getting pop-ups, redirects, and bogus firewall notices on this computer.  Part of the problem appears to be 4 items in listed under toolbars and extensions in "Manage Add-Ons".  The 4 items are offersapp, laowraete, niceanffRee, and daily prize.  The disable and remove buttons are grated out for these items.

How do I recover the use of this computer?
0
Comment
Question by:rhavey
  • 8
  • 6
  • 5
  • +2
22 Comments
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583067
Have you tried running Internet Explorer under the Administrator context to see if you can disable the add-ons?

Right click on Internet Explorer then choose Run as administrator. See if you can remove the add-ons now.

Otherwise try running Internet Explorer in Safe mode. Click Start then type in Internet Explorer in the Search box, right click Internet Explorer (No Add-ons) then Run as administrator. Try and remove the add-ons this way.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40583076
rhavey --
Run antivirus and antimalware scans.
Are you sure the spelling is correct for offersapp, laowraete, niceanffRee, and daily prize?
0
 
LVL 1

Author Comment

by:rhavey
ID: 40583097
Running as administrator and with no add-ons as administrator did no good.

I ran Malwarebyes and Superantispyware as well as ADW cleaner.  Malwarebytes and Superantispyware found nothing.  ADW cleaner found problems with Firefox and Chrome, some folders and some Registry entries and cleaned them.

The spelling was not correct.  It was hard to read the small print.  It should have been offeraapp, laowrraete, niiceanffRee, and daiilyprize.

I tried to run ESET's online scanner before, but the pop-ups and redirects would not allow it.  I tried it running as administrator with the same result.  I was shown an ad for McAfee and then for something called Spyware clear.  The pop-up window said Ads by Offerapp (spelled correctly).  I tried to run ESET again with no add-ons as administrator, but the online scanner would not run - a blank window after the start button.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583100
Try logging in with a different account (if possible) to do the scans. Otherwise try restarting the computer in Safe Mode (with networking) and attempt to do the scans there. To get into Safe Mode, restart the computer and tap away at your F8 key until you see the menu which will allow you go to into Safe Mode.

Sounds like the machine is definitely infected!
0
 
LVL 1

Author Comment

by:rhavey
ID: 40583113
Safe mode with networking did not allow me to fix the problem.

I am working remotely.  So I might need some help from the user to get into another profile.  I will try that tomorrow.

It's not clear what good a new profile will do.  Assuming that IE is not immediately infected in the new profile,  the computer would be.  I suppose I can try running the ESET scanner in the new profile.

I was hoping that someone knew of a tool or a registry hack that would be effective in this situation.
0
 
LVL 24

Accepted Solution

by:
VB ITS earned 500 total points
ID: 40583124
Have you tried using the HiJackThis tool to try and remove the add-in? It definitely has the ability to do this as I use it all the time to remove silly BHOs that can't get removed any other way. You can download it here: http://sourceforge.net/projects/hjt/

If you really want to get rid of it through the registry then you'll first need to take note of the Class ID of the add-on:
- Double click the add-on in the Manage add-ons window
- Note down the Class ID (type it into an open Notepad window for example)
- Open the Registry Editor by clicking on Start > Run (or press Windows + R together) > type in regedit > click OK
- In the Registry Editor, make sure you click on Computer first then click on Edit > Find
- Copy and paste the Class ID from the Notepad window you have open
- Delete any offending entries that you find

Restart the computer once you've repeated the above steps for all stubborn add-ons and see if you can still see them in IE.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40583135
Before I go off half cocked, I can right click the extension and click More Information.  One of the things that is shown is the Class ID.  That number is pervasive in the Registry.  How much trouble will I cause if I delete all references to the Class ID and will that kill the extension?
0
 
LVL 1

Author Comment

by:rhavey
ID: 40583138
I'm sorry VB ITS.  I didn't see your post before I asked my last question.  I will try Hijack This in the AM.  I had forgotten that it can correct as well as report problems.  I haven't used it in a while.  Right now it's time to get something to eat and get some sleep.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40583174
Download, install and run Process Explorer from Microsoft. Look for the Explorer tree on the left side and now see if there are any strange (alphanumeric) processes.  If so, kill this process (these processes), exit Process Explorer but do NOT restart.

Now run Malwarebytes again and remove all the malware you can. When done, close out, restart and see if the pop ups are gone.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40583251
How much trouble will I cause if I delete all references to the Class ID and will that kill the extension?
Not much really, as you're only removing references to the annoying add-ins. If anything you may see an error message about not being able to load the add-in but that's fine as we're trying to get rid of all the ads and redirects in the first place. Once we've done this you should be able to access ESET or whatever online malware scanner you couldn't get to originally.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40584304
rhavey --
Offerapp is malware/adware.  You may find it in Control Panel|Programs and Features.  Uninstall from there.
Or if no help
http://www.bleepingcomputer.com/uninstall/935/OfferApp.html

I think the spelling of the other problem popups is still questionable.

Try running Chameleon from MalwareBytes.
https://www.malwarebytes.org/chameleon/
You then should be able to run MalwareBytes.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40584953
John gave some good advice.  This can be automated by using Chameleon from Malwarebytes.org (malwarebytes.org/chameleon) run the svchosts file in the chameleon directory.  This will do the following:

attempt to kill known rogue processes
update definitions for MBAM
run a scan using MBAM without rebooting

(just realized that jcimarron gave the same info above)

when you are done reboot

then try using SpyBHORemover from securityxploded.com.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40585031
rhavey ----
In addition to running Process Explorer consider running AutoRuns.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
This will show you what apps are starting at boot.  Read the instructions.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40585326
I will not be able to try any of this until at least Wednesday.  There were power outages in my customer's neighborhood today that apparently also affected his Internet connection.  Verizon is sending someone out, but they can't do that until Wednesday.

I will test things as soon as I can reconnect with my customer.
0
 
LVL 1

Author Closing Comment

by:rhavey
ID: 40589848
Hijack This found 2 of the extensions, but could not remove them.  Malwarebytes and Chameleon did not detect any problem.

I removed all 4 extensions manually, which cured the problem in IE.  When I opened Firerfox, it was also misbehaving, but killing the extensions fixed it.  Chrome was not responding.  I uninstalled and reinstalled Chrome and made sure that the offending extensions were not present.

Everything is worling.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40589883
Very good! I would suggest you install AdBlock Plus on all three browsers which can help preventing these sort of add-ons and extensions from installing. AdBlock Plus won't be able to entirely prevent this from happening (as it can only do so much) however it does significantly improve the web browsing experience and also reduces the likelihood of getting these malicious extensions from reinstalling themselves.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40589915
rhavey--
It is good to hear all is well.

"I removed all 4 extensions manually"
And were you able to identify the BHO's more accurately (e.g. laowraete)?
Could you tell us more about the manual procedure so we all can learn?
Were they not in Control Panel|Programs and Features?
0
 
LVL 1

Author Comment

by:rhavey
ID: 40590112
My second attempt at the spellings was correct - unlike when I fat fingered working in my closing post.  I had to use a magnifier to see the small print.

There was no Entry in Programs and Features for any of the 4, and as I said, they were not detectable by any of the tools I normally use to clean up this kind of mess.

After the manual cleanup, the ESET online scanner was able to run and it found some files that were associated with some of the offending extensions.

The procedure was what VB ITS suggested:
1. Right click the entry in Manage Add-Ons.
2. Click Properties.
3. Note the Class ID.  Life would be too easy if it could be copied and pasted.
                I was able to copy the 2 found by Hijack This from the log.
4. Open the registry editor.
5. Back up the registry.
6. Start at the top, and click Edit.
7. Click Find.
8. Enter the Class ID in the Find What box.
9. Click Find Next.
10. Delete the first item found.
11. Tap F3.
12. Delete the next item found.
13 Repeat 11 and 12 until the Finished Searching Registry notification appears.
14. Go back to the beginning of the registry.
15. Tap F3 one more time to be sure an entry wasn't skipped.

All of the pop-ups are gone.
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 40590138
rhavey--
You are most kind to tell us.  The procedure sounds tedious, but it worked!
Thanks.
0
 
LVL 1

Author Comment

by:rhavey
ID: 40590170
It could have been worse.  There were only 8 or so registry entries per BHO.
0
 
LVL 24

Expert Comment

by:VB ITS
ID: 40590178
Yep, it's a very tedious process but it works if you can't get rid of them via any other means.

Glad I could help :)
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40590230
Did you try SPYBHORemover? Even if you have solved this you should check it out. Anything you find on the securityxploded.com site is good.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now