View original (French)

Enregistrer par clic

Solved/Closed
nicodrum Posted messages 162 Status Membre -  
 Destrio5 -
Hello everyone!

I have a browser extension on Firefox that installs itself regularly without me asking for it. It's called savebyclick1, and when it is installed, I get pop-ups that appear when I'm on Google: "coupons for google.fr"

I can't figure out if it happens when I visit a certain site, but right now I don't see it... Do you know how to prevent this installation? It's quite annoying to be honest...

Thanks in advance for your answers and have a great day!

Nicolas

26 réponses

  • 1
  • 2
Réponse 1 / 26
Anonymous user
 
Hello,

* Download ZHPDiag to your desktop:

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
or
http://www.premiumorange.com/zeb-help-process/zhpdiag.html

* Follow the instructions during the installation; it will launch automatically at the end.

/!\ Users of Vista, Seven, and W8:

* Right-click on the ZHPdiag logo (the icon looks like a parchment), “Run as Administrator.”

* Click on the screwdriver, select all modules.

* Click on the icon that looks like a magnifying glass (“Start the diagnosis”)
* Save the report on your desktop using the icon that looks like a floppy disk
* Host the ZHPDiag.txt report on Cjoint, then copy/paste the provided link in your next reply on the forum:

https://www.cjoint.com/ => https://www.commentcamarche.net/faq/29493-utiliser-cjoint-pour-heberger-des-fichiers

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in good French and clearly. It will be fine, you'll see, we’re trying!!! o°Oø
1
transat Posted messages 31956 Registration date   Status Contributeur Last intervention   9 021
 
Hi Electroman
Thank you for him
0
Anonymous user
 
;-)
0
Réponse 2 / 26
transat Posted messages 31956 Registration date   Status Contributeur Last intervention   9 021
 
Hello
Here's what I found regarding your problem
http://enlevezspywares.blogspot.fr/2013/01/delete-save-by-click-guide-de.html
This page is marked on Google with a green circle.
I'm redirecting your question to the "virus security" section where someone more qualified than me will respond to you.
Before doing anything, wait for a reply from a security contributor
See you later

Curiosity on CCM is not a flaw but a quality
0
Réponse 3 / 26
nicodrum Posted messages 162 Status Membre 19
 
Thank you for this quick response and sorry for mine being less quick... work.

So here is the link http://cjoint.com/?CAqsT6Mb2WS

Thank you in advance.
0
Réponse 4 / 26
Anonymous user
 
* Launch ZHPFix via the shortcut on your Desktop (icon shaped like a syringe)

/!\ Users of Vista, Seven, and W8:

* Right-click on the ZHPfix logo, "Run as Administrator"

* * Copy ( Ctrl + C ) and paste ( Ctrl + V ) the following lines in bold into Zhpfix:
---------------------------------------------------------

[HKCU\Software\AppDataLow\SProtector]
[HKLM\Software\Wow6432Node\SP Global]
[HKLM\Software\Wow6432Node\SProtector]
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("extensions.BabylonToolbar.prtkDS", 0);
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.keyword.URL", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.enable", "");
[HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
[HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
[HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
[HKLM\Software\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}]
[HKLM\Software\Wow6432Node\SP Global]
[HKCU\Software\AppDataLow\SProtector]
[HKLM\Software\Wow6432Node\SProtector]
O42 - Software: SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}
O43 - CFD: 16/01/2013 - 11:16:50 - [1,585] ----D C:\Program Files (x86)\SaveByClick
O43 - CFD: 16/01/2013 - 11:16:46 - [0,293] ----D C:\ProgramData\SaveByclick
[MD5.B28C334C03CEE7C5E829C43AE75DAE5A] [SPRF][23/08/2012] (.Ask.com - AskIC Dynamic Link Library.) -- C:\Users\nbattard\AppData\Local\Temp\AskSLib.dll [248008]
[HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}]
C:\Program Files (x86)\SaveByclick
C:\ProgramData\SaveByclick
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaveByclick
O2 - BHO: SaveByclick [64Bits] - {4FF9DB0F-89ED-758A-A6CA-643B69A45B80} . (...) -- C:\ProgramData\SaveByclick\50f683530293c.dll
O2 - BHO: SaveByclick [64Bits] - {AAAA1CCA-88EB-B136-E69E-527877EDF11E} . (...) -- C:\ProgramData\SaveByclick\50e43448e4567.dll
Emptytemp
EmptyClsid


----------------------------------------------------------
* Click on the clipboard icon (The icon between the camera and the parchment, at the top right of the tool page)

- Click on the "GO" button to start the cleaning,
- confirm the cleaning
- Copy/paste the entire report in your next reply
Tutorial:

http://www.premiumorange.com/zeb-help-process/zhpfix.html

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in proper French and clearly. It’s going to be fine, you’ll see, or at least we’re trying!!! o°Oø
0
Réponse 5 / 26
nicodrum Posted messages 162 Status Membre 19
 
Thank you for the very clear instructions. Here is the report:

ZHPFix Report 1.3.11 by Nicolas Coolman, Updated on 30/12/2012
Registry export file: C:\ZHP\ZHPExportRegistry-16-01-2013-19-04-33.txt
Run by nbattard on 16/01/2013 19:04:33
Windows 7 Business Edition, 64-bit Service Pack 1 (Build 7601)

========== Software(s) ==========
ABSENT Software Key: {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

========== Memory Module(s) ==========
REMOVE Memory Module: C:\Users\nbattard\AppData\Local\Temp\AskSLib.dll

========== Registry Key(s) ==========
REMOVE Key: HKCU\Software\AppDataLow\SProtector
REMOVE Key: HKLM\Software\Wow6432Node\SP Global
REMOVE Key: HKLM\Software\Wow6432Node\SProtector
REMOVE Key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
REMOVE Key*: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
ABSENT Key: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
REMOVE Key: HKLM\Software\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
REMOVE Key: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}
REMOVE Key: CLSID BHO: {4FF9DB0F-89ED-758A-A6CA-643B69A45B80}
REMOVE Key: CLSID BHO: {AAAA1CCA-88EB-B136-E69E-527877EDF11E}

========== Browser Preferences ==========
REMOVE Mozilla Pref: user_pref("extensions.BabylonToolbar.prtkDS", 0);
REMOVE Mozilla Pref: user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.keyword.URL", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.enable", "");

========== Folder(s) ==========

========== File(s) ==========
REMOVE File*: c:\users\nbattard\appdata\local\temp\askslib.dll
ABSENT Folder/File: c:\program files (x86)\savebyclick
ABSENT Folder/File: c:\programdata\savebyclick
ABSENT File: c:\programdata\savebyclick\50f683530293c.dll
ABSENT File: c:\programdata\savebyclick\50e43448e4567.dll
REMOVE Windows Temporary:

========== Summary ==========
1 : Memory Module(s)
10 : Registry Key(s)
6 : File(s)
1 : Software(s)
10 : Browser Preferences

End of clean in 00mn 02s

========== Report file path ==========
C:\ZHP\ZHPFix[R1].txt - 16/01/2013 19:04:33 [2841]
0
Réponse 6 / 26
Anonymous user
 
Restart the PC and let me know if you still have Savebyclic on your browser!

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we're trying!!! o°Oø
0
nicodrum Posted messages 162 Status Membre 19
 
So, I had removed the add-on before posting the message... I didn't think it was a virus or anything like that. However, I restarted the scan as you told me - the first step - and it's in the report. Here’s the link:

http://cjoint.com/?CAqujYOJEht

It’s in "installed software," first third of the report. Is it serious, doctor?
0
Réponse 7 / 26
Anonymous user
 
relance zhpfix et colle ceci dedans :

O42 - Software: SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

click on Go

post its report

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, Write your message in proper French and clearly. It will go well, you’ll see, well let’s try!!! o°Oø
0
Réponse 8 / 26
nicodrum Posted messages 162 Status Membre 19
 
Here is the translation:

ZHPFix Report 1.3.11 by Nicolas Coolman, Updated on 30/12/2012
Registry Export File:
Run by nbattard on 16/01/2013 at 20:25:42
Windows 7 Business Edition, 64-bit Service Pack 1 (Build 7601)

========== Software(s) ==========
ABSENT Software Key: {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

========== Summary ==========
1 : Software(s)

End of clean in 00mn 00s

========== Report file path ==========
C:\ZHP\ZHPFix[R1].txt - 16/01/2013 19:04:33 [2893]
C:\ZHP\ZHPFix[R2].txt - 16/01/2013 20:25:43 [495]
0
Réponse 9 / 26
Anonymous user
 
do you still have Savebyclick?

--
O.o°*Member, CCM security contributor o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in good French and clearly. It will be fine, you'll see, well, we’ll try!!! o°Oø
0
Réponse 10 / 26
nicodrum Posted messages 162 Status Membre 19
 
Yes, sorry, I could have included it in the previous response. Savebyclick is still there, in the same place. Here is its line (the only place):

SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}
0
Réponse 11 / 26
Anonymous user
 
do not rely on the content of the report, but on your browser

at worst, save your bookmarks,

uninstall Firefox,

manually delete its directory from your hard drive,

then reinstall it

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, well we’ll try!!! o°Oø
0
Réponse 12 / 26
nicodrum Posted messages 162 Status Membre 19
 
ok. For now, it looks like he’s not around. I'll see if it comes back later. Thank you very much for your help!

Have a good evening

Nicolas
0
Réponse 13 / 26
Anonymous user
 
Let the PC run for a few days, we'll finish when you come back to give news!

@ ++

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, well we're trying!!! o°Oø
0
Réponse 14 / 26
nicodrum Posted messages 162 Status Membre 19
 
ok thanks! I'm not closing the discussion then. Have a great weekend everyone!
0
Réponse 15 / 26
Anonymous user
 
We can finish if you want tomorrow in the afternoon or in the evening :-)

--
O.o°*Member, CCM Security Contributor o°.Oø¤º°'°º¤ø
=>> Breathe deeply, write your message in proper French and clearly. It'll go well, you'll see, well we're trying!!! o°Oø
0
Réponse 16 / 26
nicodrum Posted messages 162 Status Membre 19
 
The pop-ups no longer appear and it hasn't reinstalled in the add-ons. I think it's good now :) Thanks!
0
Réponse 17 / 26
Anonymous user
 
ok,

we're finishing up:

/!\ Attention:
more and more programs are offering to install toolbars (pre-checked box), so don't forget to uncheck the corresponding box/boxes during installation.

In addition to this, avoid sites like 01@net (on the mend!) and Softonic, as free and open-source software is repackaged with their toolbars!

* to remove the cleaning tools
:
Download Delfix to your desktop:

HERE

or

https://www.commentcamarche.net/telecharger/securite/7111-delfix/

Check the following boxes:
=> Re-enable UAC (only for Vista, Seven, and W8)
=> Remove cleaning tools (checked by default)
=> Purge system restore
=> Reset system settings

* Then click on Run and wait during the removal process.
* When the procedures are completed, the tool will close and disappear from your desktop.
* A report is saved to the clipboard: you just need to right-click and "paste" in your next reply to send me the report.

. download Ccleaner from this address and save it to the desktop

https://www.zebulon.fr/telechargements/utilitaires/nettoyeurs/ccleaner.html

. double-click on the file to start the installation.

/!\ make sure that during installation, toolbars are not installed; if they are, uncheck the corresponding box!

/!\ Users of Vista and Windows 7: Right-click on the Ccleaner logo, "run as Administrator"

. in the language installation window, be sure to choose French and OK
. click on next
. read the license and accept
. click on next
. here, only keep checked the option to create a shortcut on the desktop and then automatically check for Ccleaner updates.
. click on install
. click on close
. double-click on the Ccleaner icon to open it
. once open, click on options and then advanced
. uncheck the option to delete only files from the Windows temp folder older than 24 hours
. click on cleaner
. click on Windows and in the advanced column
. check the first box for old perfetch data and also check the advanced box that is automatically checked, but only that one.
. click on analyze once the analysis is complete
. click on run the cleaning and on the confirmation request OK; you will need to do this again once finished; verify by pressing analyze again to make sure there’s nothing left.
. now click on registry and then on find errors
. leave everything checked and click on repair selected errors
. it will ask you to save YES
. give it a name so you can find it and save
. click on fix all selected errors and on the confirmation request OK
. it deletes and closes; you verify by restarting find errors
. return to options and re-check the box to delete only files from the Windows temp folder older than 48 hours, and in cleaner, Windows under advanced, uncheck the first box for old perfetch data.
. you can close Ccleaner

installation & cleaning tutorial:
https://www.donnemoilinfo.com/tuto/CCleaner/

* update your antivirus, run a complete scan of your PC, and let me know the results :-)

--
O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, we’ll try!!! o°Oø
0
Réponse 18 / 26
nicodrum Posted messages 162 Status Membre 19
 
Hello,

So, here is the first part, and then I run ccleaner:

# DelFix v10.0 - Report created on 01/18/2013 at 15:16:20
# Updated on 01/04/2013 by Xplode
# Username: nbattard - PE4115B5FBB45

~ Enabling UAC ... OK

~ Removing disinfecting tools ...

Deleted: C:\ZHP
Deleted: C:\Program Files (x86)\ZHPDiag
Deleted: C:\PhysicalDisk0_MBR.bin

~ Purging system restore ...

Deleted: RP #31 [Windows Backup | 12/19/2012 09:25:17]
Deleted: RP #32 [Windows Backup | 12/19/2012 09:55:13]
Deleted: RP #33 [Windows Update | 12/21/2012 10:39:52]
Deleted: RP #34 [HPSF Restore Point | 12/31/2012 07:15:00]
Deleted: RP #35 [Windows Update | 01/07/2013 07:34:16]
Deleted: RP #36 [Windows Update | 01/09/2013 08:15:59]
Deleted: RP #37 [Installed SpyHunter | 01/16/2013 19:47:07]
Deleted: RP #38 [Removed SpyHunter | 01/16/2013 20:11:55]

New restore point created!

~ Resetting system settings ... OK

########## - EOF - ##########
0
Réponse 19 / 26
Anonymous user
 
ok,

let's move on to the next part of my previous message

--
O.o°*Member, CCM security contributor o°.Oø¤º°'°º¤ø
=>>Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, well we're trying!!! o°Oø
0
Réponse 20 / 26
nicodrum Posted messages 162 Status Membre 19
 
Well, I ran CCleaner, everything seems nice and clean, SaveByClick is gone, and I think the big cleanup has been done!

Thanks for your help!
0
  • 1
  • 2