(SOLVED) Need help please. PCKeeper ad ware removal.

CompConfig

CompConfig

Active Member
Reaction score
83
Location
New York City
I have a client who called me with this issue. It turns out that 3 computers have it. One is very bad. I have searched and researched this and so far this is what I have tried; Kaspersky rescue disk, rkill, malwarebytes, adw, combofix, rogue killer and at least 7 others.

The only thing on the computers effected are the browsers. Whenever you click a link you get the pc keeper pop up. I have gone through the logs and reset the browsers after each cleaning cycle. There is no PC Keeper software anywhere on the computers. I have gone through the registry. Tried system restore in conjunction with other recommended actions. Bleeping computer has a specific 8 step process to resolve this and I followed it. It involves many different removal tools most I have mentioned.

Any ideas are welcomed, I will try it all. Thanks!
 
Check proxy settings.

Check hosts file.

Any backup systems in place (TrueImage etc.?).

If all else fails, try Windows Restore / Refresh (I've found W8 restore / refresh actually does a fair job - please don't kick me from the forums for saying so). I didn't catch what OS you were running.

I've had a few proxy viruses that after a certain amount of time and still not a lot of traction in yielding a clean system I call it... backup, wipe, reinstall (yes, I know, N&P, but sometimes that is necessary for keeping your margins AND guaranteeing a clean system for the customer).
 
Last edited:
This is one instance where I am considering N&P but at this point this is a challenge. I should have mentioned these are Win 7 PRO machines SP1 and have all patches installed. Prior to this infection they were running Kapersky internet security and Malwarebytes. The browsers are IE-11, Firefox and chrome. There is a server running 2012 essentials with endpoint protection and voodo shield along with malwarebytes which is clean and has staggered backups, full images so their files and data are safe.

I should also mention that after every full scan no matter the program there was nothing found not even a pup. This is a small professional firm and they do not play around. I also ran bitdefender, looked through every file. cleaned out everything that was not essential.
 
YES! That is the post I was referring to and I followed it to the T. Twice! Lol it didn't work. I really thought that was the answer too.
 
Maybe this will help, just did a quick search, haven't seen this one before.

http://removevirusmalware.com/remove-pc-keeper-popup-virus-removal-guide/

Toward the bottom of that link, they show what the registry entries and files should be for pc keeper. Don't know if that's the answer that will work, but hopefully so.

There is an old trick I used a couple of times. Use revo uninstaller if you have it, and put it into hunter mode. It gives you a target icon that you can move around and try to kill and delete processes that are running. If pc keeper is a pop up, try to make it pop up, and see if you can kill and delete it with revo's hunter mode. If nothing else, I think revo will show you the path it's launching from, where you could at least snap a picture or make a mental note and boot from a linux disk and delete the files that way. It's been a while since I did this but it worked way back check the licensing, I just looked at the license file for their portable version and didn't see anything about not using it for commercial purposes. So might hit it that way.
 
Last edited:
Fire up Sysinternals Process Explorer and have a look at what's going on.

It doesn't have the 2 explorer.exe syndrome that I'm seeing more of, does it?

How about a small hidden partition hiding something (rootkit)?
 
So everything else looks ok except when you launch any browser it goes to the PC Keeper web page?

Can you go to a different URL afterwards?

What happens when you reboot the computer with no network cable and launch a browser?

What happens when you install a brand new browser such as Opera?

Have you done a regedit search for the PC Keeper URL?

W7 Pro - assuming they are in workgroup mode have you tried to reset the local GP to default?

http://www.sevenforums.com/tutorials/214461-local-group-policy-reset-default.html
 
No, I didn't try a GP reset, good idea. Nothing visible in the registry it looks clean. I did check for root kits. I will try Opera as well. I will be back on site tomorrow but I will try more tonight remotely.

Thanks everyone for your help. I have till tomorrow to solve this and then I will have no choice but to N & P
 
Have you tried sysinternals Autoruns under safe mode. Manually check the userprofile\appdata\ subdirectories for anything strange and c:\program data. Give hijackthis a try and IE factory reset. And cleaned out the user profile temp folder, c:\windows\prefetch and temp folder. Any strange browser extensions?
 
You could also try:

Re-install PCKeeper software.

Remove with Revo uninstaller (aggressive mode).

Look for a 64 bit version in "programs and Features, if found to remove with
64 bit version of Revo (worth a buy), or use the free trial. Again aggressive mode.

Run Adw Cleaner (newest version). Review log for clues.

Run JRT (newest version) Review log for clues.

Run Malwarebytes (updated of course)

Run Rogue Killer (newest version) LOOK AT THE RESULTS FOR ANYTHING SUSPICIOUS

Reset settings and policies

Run Win AIO.

That routine should get ride of "most anything"......notice I've said MOST.

Harold
 
Shortcut properties

By any chance have you checked all browser shortcuts to make sure they are clean. Make sure Target or start in don't have url of pckeeper at end of executable path for browser. I'd remove all shortcuts from taskbar and recreate them after doing above as well. Good Luck.
 
scheduled tasks, autoruns, services, toolbars, plugins

keep in mind all the usual tools generally have to know about the thing or at least recognise the behaviour before they can detect it so if it's new they won't necessarily find it, you have to think about it more, what it's doing, how it's doing it, where it's likely lurking etc. this is where your and others experience comes into it.
 
There were no infected computers. They are all clean. The problem was an infected, router. I changed it with a proper business router and things have never run better and all popups have stopped. When you eliminate everything possible then you must look for the improbable. This was a first for us. Thanks to everyone who offered up help, we tried all of it.
 
CompConfig said:
There were no infected computers. They are all clean. The problem was an infected, router. I changed it with a proper business router and things have never run better and all popups have stopped. When you eliminate everything possible then you must look for the improbable. This was a first for us. Thanks to everyone who offered up help, we tried all of it.
Click to expand...

Just curious, what made you try replacing the router?
 
After trying everything, I nuked one computer and only reinstalled the os. I had disconnected all other computers from the network. The second I plugged this computer into the router the same popup ads begin again. I then put my phone on their wifi and got popups on my phone. Itook my phone off wifi and they were gone. I then took the computer off the router and put it online through my phones hot spot and it worked fine. I tried resetting the router and the modern but no joy. I then changed the router and boom, everything was perfect again.
 
I saw this happen once to a business client no less. Had this going on, reformatted a couple of machines and the same things, started investigating. They were also being cheap. Like your situation router compromised. I ended up doing a band aid fix just for the time being of resetting the dns on each computer to google's dns settings. Of course since my clients were being cheap, they never bothered to call back to get us out to replace the router. That's been about 3 years now. I've heard from other people including people who worked for the company that they were cheap.
 
The former it had a trend net router, real garbage too many open ports on it as well. The office does auto cad. 6 workstations and I just ordered them a new server now that they gave me the account.
 
You must log in or register to reply here.

Similar threads

britechguy
[Solved] Bizarre Issue
Replies
6
Views
659
GTP
GTP
Velvis
Vivobook Camera line through icon
Replies
3
Views
339
britechguy
britechguy
JohnDoe1980
Windows 10 Stuck on 1909
Replies
5
Views
972
A V
A V
HCHTech
Cell Phone Automation
Replies
2
Views
222
britechguy
britechguy
DanF
Help the kid with keystones
Replies
8
Views
569
YeOldeStonecat
YeOldeStonecat
Back
Top