Enregistrer par clic

Solved/Closed
nicodrum Posted messages 162 Status Member -  
 Destrio5 -
Hello everyone!

I have a browser extension on Firefox that installs itself regularly without me asking for it. It's called savebyclick1, and when it is installed, I get pop-ups that appear when I'm on Google: "coupons for google.fr"

I can't figure out if it happens when I visit a certain site, but right now I don't see it... Do you know how to prevent this installation? It's quite annoying to be honest...

Thanks in advance for your answers and have a great day!

Nicolas

26 answers

  • 1
  • 2
  1. Anonymous user
     
    Hello,

    * Download ZHPDiag to your desktop:

    https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html
    or
    http://www.premiumorange.com/zeb-help-process/zhpdiag.html

    * Follow the instructions during the installation; it will launch automatically at the end.

    /!\ Users of Vista, Seven, and W8:

    * Right-click on the ZHPdiag logo (the icon looks like a parchment), “Run as Administrator.”

    * Click on the screwdriver, select all modules.

    * Click on the icon that looks like a magnifying glass (“Start the diagnosis”)
    * Save the report on your desktop using the icon that looks like a floppy disk
    * Host the ZHPDiag.txt report on Cjoint, then copy/paste the provided link in your next reply on the forum:

    https://www.cjoint.com/ => https://www.commentcamarche.net/faq/29493-utiliser-cjoint-pour-heberger-des-fichiers


    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>> Breathe deeply, write your message in good French and clearly. It will be fine, you'll see, we’re trying!!! o°Oø
    1
    1. transat Posted messages 31956 Registration date   Status Contributor Last intervention   9 021
       
      Hi Electroman
      Thank you for him
      0
    2. Anonymous user
       
      ;-)
      0
  2. transat Posted messages 31956 Registration date   Status Contributor Last intervention   9 021
     
    Hello
    Here's what I found regarding your problem
    http://enlevezspywares.blogspot.fr/2013/01/delete-save-by-click-guide-de.html
    This page is marked on Google with a green circle.
    I'm redirecting your question to the "virus security" section where someone more qualified than me will respond to you.
    Before doing anything, wait for a reply from a security contributor
    See you later

    Curiosity on CCM is not a flaw but a quality
    0
  3. nicodrum Posted messages 162 Status Member 19
     
    Thank you for this quick response and sorry for mine being less quick... work.

    So here is the link http://cjoint.com/?CAqsT6Mb2WS

    Thank you in advance.
    0
  4. Anonymous user
     
    * Launch ZHPFix via the shortcut on your Desktop (icon shaped like a syringe)

    /!\ Users of Vista, Seven, and W8:

    * Right-click on the ZHPfix logo, "Run as Administrator"

    * * Copy ( Ctrl + C ) and paste ( Ctrl + V ) the following lines in bold into Zhpfix:
    ---------------------------------------------------------

    [HKCU\Software\AppDataLow\SProtector]
    [HKLM\Software\Wow6432Node\SP Global]
    [HKLM\Software\Wow6432Node\SProtector]
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("extensions.BabylonToolbar.prtkDS", 0);
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.previous.keyword.URL", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
    O69 - SBI: prefs.js [nbattard - a1hj7aqv.default] user_pref("sweetim.toolbar.searchguard.enable", "");
    [HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
    [HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
    [HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}]
    [HKLM\Software\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}]
    [HKLM\Software\Wow6432Node\SP Global]
    [HKCU\Software\AppDataLow\SProtector]
    [HKLM\Software\Wow6432Node\SProtector]
    O42 - Software: SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}
    O43 - CFD: 16/01/2013 - 11:16:50 - [1,585] ----D C:\Program Files (x86)\SaveByClick
    O43 - CFD: 16/01/2013 - 11:16:46 - [0,293] ----D C:\ProgramData\SaveByclick
    [MD5.B28C334C03CEE7C5E829C43AE75DAE5A] [SPRF][23/08/2012] (.Ask.com - AskIC Dynamic Link Library.) -- C:\Users\nbattard\AppData\Local\Temp\AskSLib.dll [248008]
    [HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}]
    C:\Program Files (x86)\SaveByclick
    C:\ProgramData\SaveByclick
    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SaveByclick
    O2 - BHO: SaveByclick [64Bits] - {4FF9DB0F-89ED-758A-A6CA-643B69A45B80} . (...) -- C:\ProgramData\SaveByclick\50f683530293c.dll
    O2 - BHO: SaveByclick [64Bits] - {AAAA1CCA-88EB-B136-E69E-527877EDF11E} . (...) -- C:\ProgramData\SaveByclick\50e43448e4567.dll
    Emptytemp
    EmptyClsid


    ----------------------------------------------------------
    * Click on the clipboard icon (The icon between the camera and the parchment, at the top right of the tool page)

    - Click on the "GO" button to start the cleaning,
    - confirm the cleaning
    - Copy/paste the entire report in your next reply
    Tutorial:

    http://www.premiumorange.com/zeb-help-process/zhpfix.html

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>> Breathe deeply, write your message in proper French and clearly. It’s going to be fine, you’ll see, or at least we’re trying!!! o°Oø
    0
  5. nicodrum Posted messages 162 Status Member 19
     
    Thank you for the very clear instructions. Here is the report:

    ZHPFix Report 1.3.11 by Nicolas Coolman, Updated on 30/12/2012
    Registry export file: C:\ZHP\ZHPExportRegistry-16-01-2013-19-04-33.txt
    Run by nbattard on 16/01/2013 19:04:33
    Windows 7 Business Edition, 64-bit Service Pack 1 (Build 7601)

    ========== Software(s) ==========
    ABSENT Software Key: {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

    ========== Memory Module(s) ==========
    REMOVE Memory Module: C:\Users\nbattard\AppData\Local\Temp\AskSLib.dll

    ========== Registry Key(s) ==========
    REMOVE Key: HKCU\Software\AppDataLow\SProtector
    REMOVE Key: HKLM\Software\Wow6432Node\SP Global
    REMOVE Key: HKLM\Software\Wow6432Node\SProtector
    REMOVE Key: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
    REMOVE Key*: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
    ABSENT Key: HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
    REMOVE Key: HKLM\Software\Wow6432Node\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
    REMOVE Key: HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26B5A6D1-1F75-3B59-5825-E4D4CAE3445D}
    REMOVE Key: CLSID BHO: {4FF9DB0F-89ED-758A-A6CA-643B69A45B80}
    REMOVE Key: CLSID BHO: {AAAA1CCA-88EB-B136-E69E-527877EDF11E}

    ========== Browser Preferences ==========
    REMOVE Mozilla Pref: user_pref("extensions.BabylonToolbar.prtkDS", 0);
    REMOVE Mozilla Pref: user_pref("extensions.BabylonToolbar.prtkHmpg", 0);
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.browser.startup.homepage", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.previous.keyword.URL", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_DS", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.UserRejectedGuard_HP", "");
    REMOVE Mozilla Pref: user_pref("sweetim.toolbar.searchguard.enable", "");

    ========== Folder(s) ==========

    ========== File(s) ==========
    REMOVE File*: c:\users\nbattard\appdata\local\temp\askslib.dll
    ABSENT Folder/File: c:\program files (x86)\savebyclick
    ABSENT Folder/File: c:\programdata\savebyclick
    ABSENT File: c:\programdata\savebyclick\50f683530293c.dll
    ABSENT File: c:\programdata\savebyclick\50e43448e4567.dll
    REMOVE Windows Temporary:

    ========== Summary ==========
    1 : Memory Module(s)
    10 : Registry Key(s)
    6 : File(s)
    1 : Software(s)
    10 : Browser Preferences

    End of clean in 00mn 02s

    ========== Report file path ==========
    C:\ZHP\ZHPFix[R1].txt - 16/01/2013 19:04:33 [2841]
    0
  6. Anonymous user
     
    Restart the PC and let me know if you still have Savebyclic on your browser!

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, write your message in proper French and clearly. It will be fine, you'll see, well we're trying!!! o°Oø
    0
    1. nicodrum Posted messages 162 Status Member 19
       
      So, I had removed the add-on before posting the message... I didn't think it was a virus or anything like that. However, I restarted the scan as you told me - the first step - and it's in the report. Here’s the link:

      http://cjoint.com/?CAqujYOJEht

      It’s in "installed software," first third of the report. Is it serious, doctor?
      0
  7. Anonymous user
     
    relance zhpfix et colle ceci dedans :

    O42 - Software: SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

    click on Go

    post its report

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, Write your message in proper French and clearly. It will go well, you’ll see, well let’s try!!! o°Oø
    0
  8. nicodrum Posted messages 162 Status Member 19
     
    Here is the translation:

    ZHPFix Report 1.3.11 by Nicolas Coolman, Updated on 30/12/2012
    Registry Export File:
    Run by nbattard on 16/01/2013 at 20:25:42
    Windows 7 Business Edition, 64-bit Service Pack 1 (Build 7601)

    ========== Software(s) ==========
    ABSENT Software Key: {330AADC2-68F0-451D-A7F6-20D2E8E98F34}

    ========== Summary ==========
    1 : Software(s)

    End of clean in 00mn 00s

    ========== Report file path ==========
    C:\ZHP\ZHPFix[R1].txt - 16/01/2013 19:04:33 [2893]
    C:\ZHP\ZHPFix[R2].txt - 16/01/2013 20:25:43 [495]
    0
  9. Anonymous user
     
    do you still have Savebyclick?

    --
    O.o°*Member, CCM security contributor o°.Oø¤º°'°º¤ø
    =>> Breathe deeply, write your message in good French and clearly. It will be fine, you'll see, well, we’ll try!!! o°Oø
    0
  10. nicodrum Posted messages 162 Status Member 19
     
    Yes, sorry, I could have included it in the previous response. Savebyclick is still there, in the same place. Here is its line (the only place):

    SaveByClick - (.SaveByClick.) [HKLM][64Bits] -- {330AADC2-68F0-451D-A7F6-20D2E8E98F34}
    0
  11. Anonymous user
     
    do not rely on the content of the report, but on your browser

    at worst, save your bookmarks,

    uninstall Firefox,

    manually delete its directory from your hard drive,

    then reinstall it

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, well we’ll try!!! o°Oø
    0
  12. nicodrum Posted messages 162 Status Member 19
     
    ok. For now, it looks like he’s not around. I'll see if it comes back later. Thank you very much for your help!

    Have a good evening

    Nicolas
    0
  13. Anonymous user
     
    Let the PC run for a few days, we'll finish when you come back to give news!

    @ ++

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, write your message in proper French and clearly. It will go well, you'll see, well we're trying!!! o°Oø
    0
  14. nicodrum Posted messages 162 Status Member 19
     
    ok thanks! I'm not closing the discussion then. Have a great weekend everyone!
    0
  15. Anonymous user
     
    We can finish if you want tomorrow in the afternoon or in the evening :-)

    --
    O.o°*Member, CCM Security Contributor o°.Oø¤º°'°º¤ø
    =>> Breathe deeply, write your message in proper French and clearly. It'll go well, you'll see, well we're trying!!! o°Oø
    0
  16. nicodrum Posted messages 162 Status Member 19
     
    The pop-ups no longer appear and it hasn't reinstalled in the add-ons. I think it's good now :) Thanks!
    0
  17. Anonymous user
     
    ok,

    we're finishing up:

    /!\ Attention:
    more and more programs are offering to install toolbars (pre-checked box), so don't forget to uncheck the corresponding box/boxes during installation.

    In addition to this, avoid sites like 01@net (on the mend!) and Softonic, as free and open-source software is repackaged with their toolbars!


    * to remove the cleaning tools
    :

    Download Delfix to your desktop:

    HERE

    or

    https://www.commentcamarche.net/telecharger/securite/7111-delfix/

    Check the following boxes:
    => Re-enable UAC (only for Vista, Seven, and W8)
    => Remove cleaning tools (checked by default)
    => Purge system restore
    => Reset system settings

    * Then click on Run and wait during the removal process.
    * When the procedures are completed, the tool will close and disappear from your desktop.
    * A report is saved to the clipboard: you just need to right-click and "paste" in your next reply to send me the report.

    . download Ccleaner from this address and save it to the desktop

    https://www.zebulon.fr/telechargements/utilitaires/nettoyeurs/ccleaner.html

    . double-click on the file to start the installation.

    /!\ make sure that during installation, toolbars are not installed; if they are, uncheck the corresponding box!

    /!\ Users of Vista and Windows 7: Right-click on the Ccleaner logo, "run as Administrator"

    . in the language installation window, be sure to choose French and OK
    . click on next
    . read the license and accept
    . click on next
    . here, only keep checked the option to create a shortcut on the desktop and then automatically check for Ccleaner updates.
    . click on install
    . click on close
    . double-click on the Ccleaner icon to open it
    . once open, click on options and then advanced
    . uncheck the option to delete only files from the Windows temp folder older than 24 hours
    . click on cleaner
    . click on Windows and in the advanced column
    . check the first box for old perfetch data and also check the advanced box that is automatically checked, but only that one.
    . click on analyze once the analysis is complete
    . click on run the cleaning and on the confirmation request OK; you will need to do this again once finished; verify by pressing analyze again to make sure there’s nothing left.
    . now click on registry and then on find errors
    . leave everything checked and click on repair selected errors
    . it will ask you to save YES
    . give it a name so you can find it and save
    . click on fix all selected errors and on the confirmation request OK
    . it deletes and closes; you verify by restarting find errors
    . return to options and re-check the box to delete only files from the Windows temp folder older than 48 hours, and in cleaner, Windows under advanced, uncheck the first box for old perfetch data.
    . you can close Ccleaner

    installation & cleaning tutorial:
    https://www.donnemoilinfo.com/tuto/CCleaner/

    * update your antivirus, run a complete scan of your PC, and let me know the results :-)

    --
    O.o°*Member, Security Contributor CCM o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, we’ll try!!! o°Oø
    0
  18. nicodrum Posted messages 162 Status Member 19
     
    Hello,

    So, here is the first part, and then I run ccleaner:

    # DelFix v10.0 - Report created on 01/18/2013 at 15:16:20
    # Updated on 01/04/2013 by Xplode
    # Username: nbattard - PE4115B5FBB45

    ~ Enabling UAC ... OK

    ~ Removing disinfecting tools ...

    Deleted: C:\ZHP
    Deleted: C:\Program Files (x86)\ZHPDiag
    Deleted: C:\PhysicalDisk0_MBR.bin

    ~ Purging system restore ...

    Deleted: RP #31 [Windows Backup | 12/19/2012 09:25:17]
    Deleted: RP #32 [Windows Backup | 12/19/2012 09:55:13]
    Deleted: RP #33 [Windows Update | 12/21/2012 10:39:52]
    Deleted: RP #34 [HPSF Restore Point | 12/31/2012 07:15:00]
    Deleted: RP #35 [Windows Update | 01/07/2013 07:34:16]
    Deleted: RP #36 [Windows Update | 01/09/2013 08:15:59]
    Deleted: RP #37 [Installed SpyHunter | 01/16/2013 19:47:07]
    Deleted: RP #38 [Removed SpyHunter | 01/16/2013 20:11:55]

    New restore point created!

    ~ Resetting system settings ... OK

    ########## - EOF - ##########
    0
  19. Anonymous user
     
    ok,

    let's move on to the next part of my previous message

    --
    O.o°*Member, CCM security contributor o°.Oø¤º°'°º¤ø
    =>>Breathe deeply, write your message in good French and clearly. It's going to be fine, you'll see, well we're trying!!! o°Oø
    0
  20. nicodrum Posted messages 162 Status Member 19
     
    Well, I ran CCleaner, everything seems nice and clean, SaveByClick is gone, and I think the big cleanup has been done!

    Thanks for your help!
    0
  • 1
  • 2