Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

downloaded what i thought was windows 10


  • This topic is locked This topic is locked
58 replies to this topic

#1 mickeddie12

mickeddie12

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 05 August 2015 - 09:54 PM

I downloaded and installed what I thought was windows 10, and now I have all these pop ups and my web browsers are very slow.  I had a bunch of strange programs trying to install, or were installed.  One of which was, iirc, crowdbrow??

 

Anyway, in addition to these issues, my window start button does not do a thing, so I don't know what to do.  I ran Malwarebytes and removed a bunch of things, but am still having issues.  Please help!!!!

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 05 August 2015 - 10:46 PM

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

Please try to reply within 24 hours. If you find yourself delayed simply post a quick reply here and let me know!! After 5 days if your topic is not replied I will assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

<<<<<<<<<<

Lastly if you have not already done so you should consider backing up your important data - pictures, documents, etc... Worse case scenario is need for a wipe and reinstall your operating system to its factory settings. Therefore your precious data will be salvaged. There are both free and paid applications available.

Cobian Backup
DriveImage XML
CrashPlan

<<<<<<<<<<

Your logs do indicate that Windows 10 is installed and running. Where did you obtain the download from?

Please copy and paste all logs directly into your reply unless I ask otherwise.

I would like to the MBAM log you mention. The log is automatically saved and can be viewed by clicking the Logs tab.

Also please move FRST.exe to your desktop ---> IMPORTANT!!

<<<<<<<<<<
  • Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browser
  • Double click on AdwCleaner.exe, click Run, then select I agree if it appears
  • Click Scan
  • Once the scan has completed you will see Pending. Please check elements you don't want to remove above the progress bar
  • Click on Cleaning
  • Confirm the cleaning and rebooting of your computer by clicking OK
  • Your computer will be rebooted automatically. A text file will open after the restart
  • Copy and paste the contents in your reply
<<<<<<<<<<

Re-run FRST, check the Addition.txt box, press SCAN and copy/paste the 2 logs in your next reply.

<<<<<<<<<<

With your next post please provide:
  • AdwCleaner.txt
  • FRST.txt
  • Addition.txt
  • An update about the problems that persist
Kind regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 06 August 2015 - 09:28 PM

Hi and thank you for your help.  Attached are the files you requested.
 
I don't recall where I downloaded windows 10 it from, but thought it was microsoft.
 
As for current problems, my web pages are very slow to load and run.  As I type this the web page sems to try to refresh and my type is very slow to appear.  When I start Firefox my windows system preferences automatically opens, extra tabs on firefox open automatically, and it seems that pop up ads on every web page stopped.
 
Some words on this page are highlighted in blue with a green circle with an arrow, and when I move the curser over them it says "click to continue > by DNS unlocker"

Attached Files


Edited by thcbytes, 06 August 2015 - 09:47 PM.
Deactivate rogue links


#4 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 06 August 2015 - 10:28 PM

Hi again,

Some comments....

Your computer is a mess. This might take a while to get cleaned up. Also please be aware that our malware fighting tools might be somewhat limited as this is a brand new operating system and we have yet to test out many in great depth.

Some questions....
 
National Instrument applications
TeamViewer
Purposely installed?
 
<<<<<<<<<<

Please do NOT attach logs unless I ask. Please copy and paste logs directly into your reply

<<<<<<<<<<

FRST fix:
  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter.
  • CAREFULLY copy and paste the ENTIRE script below in the notepad document:
start
CloseProcesses:
HKU\S-1-5-21-2900523989-721417095-2807401098-1000\...\Run: [GamesBot] => "C:\Program Files (x86)\Games Bot\GamesBot.exe" --startup
C:\Program Files (x86)\Games Bot
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKU\S-1-5-21-2900523989-721417095-2807401098-1000\Software\Microsoft\Internet Explorer\Main,First Home Page = http://g.msn.com/1me10IE9ENUS/110
Toolbar: HKU\S-1-5-21-2900523989-721417095-2807401098-1000 -> No Name - {41565232-2D53-5000-76A7-7A786E7484D7} -  No File
DPF: HKLM-x32 {4EFA317A-8569-4788-B175-5BAF9731A549} http://66.133.171.95/rcm/webcontrols/vmrc/VMRCActiveXClient.cab
DPF: HKLM-x32 {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} http://khse.vlab.elementk.com/vlab/webcontrols/porttester/PortTester.cab
FF HKU\S-1-5-21-2900523989-721417095-2807401098-1000\...\Firefox\Extensions: [{e4f94d1e-2f53-401e-8885-681602c0ddd8}] - 
CHR dev: Chrome dev build detected! <======= ATTENTION
CHR Profile: C:\Users\Goldberg\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (No Name) - C:\Users\Goldberg\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-05]
CHR Extension: (No Name) - C:\Users\Goldberg\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-05]
CHR Profile: C:\Users\Goldberg\AppData\Local\Google\Chrome\User Data\Default
2015-08-04 21:38 - 2015-08-04 21:38 - 00003476 _____ C:\WINDOWS\System32\Tasks\{522CCB4E-C1D1-401F-B722-ED6EEE5E1EC2}
2015-08-04 20:53 - 2015-08-04 20:53 - 00003554 _____ C:\WINDOWS\System32\Tasks\Inejejafsacru
2015-08-04 16:40 - 2015-08-04 16:40 - 00556432 _____ C:\Users\Goldberg\Downloads\Unconfirmed 378081.crdownload
2015-08-04 16:01 - 2015-08-05 07:12 - 00000000 ____D C:\Users\Goldberg\AppData\Local\PCMATICPLUS_fixed
2015-08-04 16:01 - 2015-08-04 16:01 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\PCMATICPLUS
2015-08-04 15:54 - 2015-08-05 07:12 - 00000000 ____D C:\Users\Goldberg\AppData\Local\4723
2015-08-04 15:48 - 2015-08-04 15:48 - 00026402 _____ C:\WINDOWS\System32\Tasks\DNSWABENO
2015-08-04 15:46 - 2015-08-04 22:18 - 00000004 _____ C:\WINDOWS\SysWOW64\029B560A371F4E00AB32838EBC01B9E7
2015-08-04 15:42 - 2015-08-05 22:04 - 00000372 ____H C:\WINDOWS\Tasks\NDERBTXMBDRPHUEI.job
2015-08-04 15:42 - 2015-08-05 22:04 - 00000360 _____ C:\WINDOWS\Tasks\OMYQNNDMU1.job
2015-08-04 15:42 - 2015-08-04 15:42 - 00003454 _____ C:\WINDOWS\System32\Tasks\NDERBTXMBDRPHUEI
2015-08-04 15:42 - 2015-08-04 15:42 - 00002930 _____ C:\WINDOWS\System32\Tasks\OMYQNNDMU1
2015-08-04 15:42 - 2015-08-04 15:42 - 00000000 ____D C:\ProgramData\28341ff220e0446c9fff27c4493d622e
2015-08-04 15:31 - 2015-08-04 15:31 - 00003698 _____ C:\WINDOWS\System32\Tasks\HDNINSTSCHD
globalupdate Helper (x32 Version: 1.3.25.0 - globalupdate Inc.) Hidden <==== ATTENTION
Task: {06B1A719-FDAD-4273-BC15-35250D6EC1AA} - System32\Tasks\OMYQNNDMU1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION
C:\ProgramData\FlashBeat
Task: {1450D255-5E2F-48B4-9424-A51E0D91B0CB} - System32\Tasks\DNSWABENO => C:\Program Files (x86)\DNS Unlocker\dnswabeno.exe
C:\Program Files (x86)\DNS Unlocker
Task: {15442D27-2AD0-43F1-950B-CFDFE5C355A2} - System32\Tasks\AI_Updater => C:\Program Files (x86)\PCMATICPLUSSOL\updater.exe
C:\Program Files (x86)\PCMATICPLUSSOL
Task: {1D1F161C-B5AE-42F7-AB71-EF9F624F7B35} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent No Task File <==== ATTENTION
Task: {2C0542A0-AF1F-499A-8C55-3CB00218B9BB} - System32\Tasks\NDERBTXMBDRPHUEI => C:\ProgramData\Service1291\Service1291.exe <==== ATTENTION
C:\ProgramData\Service1291
Task: {2F25EE21-10FC-4005-9798-892B0F753ACA} - \ProPCCleaner_Start No Task File <==== ATTENTION
Task: {52EA023F-0702-4520-BBB6-A3EFCDC4081B} - \ProPCCleaner_Popup No Task File <==== ATTENTION
Task: {6007BC26-FCCF-4CA1-8CBF-1D1A10D7AC55} - System32\Tasks\{522CCB4E-C1D1-401F-B722-ED6EEE5E1EC2} => pcalua.exe -a "C:\Program Files (x86)\Crossbrowse\Crossbrowse\Application\39.6.2171.95\Installer\setup.exe" -d C:\Windows\ImmersiveControlPanel -c --uninstall --system-level
C:\Program Files (x86)\Crossbrowse
Task: {6193DD36-8EFC-4153-B3FD-957ABC98356B} - \bvxvbvef No Task File <==== ATTENTION
Task: {94704A83-4498-4908-9C67-43FB83AB9B7D} - \Microsoft\Windows\Setup\gwx\launchtrayprocess No Task File <==== ATTENTION
Task: {AD80FFEC-1599-497D-B806-687D8E1078D7} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent No Task File <==== ATTENTION
Task: {B7139439-DFAD-46A0-99BE-CCBE12303BAD} - \Optscan No Task File <==== ATTENTION
Task: {BADAEB71-7F4A-4B7F-BEF7-9C3C52CB25C2} - System32\Tasks\IEError => C:\Program Files (x86)\PCMATICPLUSSOL\virusIEFilter.exe
Task: {BDF7207E-0B72-489F-9A63-5FC49E747A92} - System32\Tasks\EasyCalendar => c:\programdata\{9576cd8e-0337-a7bc-9576-6cd8e0333638}\pricelessinstaller.exe <==== ATTENTION
Task: {CB910E41-ED53-4A18-AB10-26AA8453C2F0} - \boosterpop No Task File <==== ATTENTION
Task: {CEDF3448-47AC-4CB4-96B2-6D4FD2AC82CD} - System32\Tasks\HDNINSTSCHD => C:\WINDOWS\PCBHDNW\hdnInstaller.exe <==== ATTENTION
Task: {CFF57948-2744-45EA-BC6A-83A31E95D431} - \Ehcks No Task File <==== ATTENTION
Task: {FBE2AD6B-47AE-41F5-94D1-11DA444F8BF7} - System32\Tasks\Inejejafsacru => C:\ProgramData\Inejejafsacru\1.0.4.1\anroober.exe
C:\ProgramData\Inejejafsacru
Task: C:\WINDOWS\Tasks\CreateExplorerShellUnelevatedTask.job => 0x000A01004CFE62974D205240BBB0CD04BBB2D1D54600D400000000003C000A00200000000014730F000000000513040020200401000000000000000000000000000000000000180043003A005C00570049004E0044004F00570053005C006500780070006C006F007200650072002E0065007800650000000C002F004E004F0055004100430043004800450043004B000000000018004500780070006C006F007200650072005300680065006C006C0055006E0065006C00650076006100740065006400000000000000080003130400000000000000
Task: C:\WINDOWS\Tasks\NDERBTXMBDRPHUEI.job => 0x000A01009265CCA6CCA0FE4789EACAB81F48EB8046001201000000003C000A0020000000FEFFFFFF0B0107800013040000268021DF070800030005001600040008004C0100002B0043003A005C00500072006F006700720061006D0044006100740061005C00530065007200760069006300650031003200390031005C00530065007200760069006300650031003200390031002E00650078006500000000001B0043003A005C00500072006F006700720061006D0044006100740061005C00530065007200760069006300650031003200390031000000150047006F006C00640062006500720067002D00480050005C0047006F006C006400620065007200670000000000000008000000000000000000020030000000DF0708000400000000000000000000000000000000000000000000000700000001000000000000000000000030000100DF07080004000000000000000F002F00A0050000B40000000000000001000000010000000000000000000000
Task: C:\WINDOWS\Tasks\OMYQNNDMU1.job => 0x000A01000A99E578FD1FC547B7878134A20C4D2D46000601000000003C000A0020000000FEFFFFFF0B0107800013040000008021DF07080003000500160004000800C0000000270043003A005C00500072006F006700720061006D0044006100740061005C0046006C0061007300680042006500610074005C0046006C0061007300680042006500610074002E0065007800650000000000190043003A005C00500072006F006700720061006D0044006100740061005C0046006C0061007300680042006500610074000000150047006F006C00640062006500720067002D00480050005C0047006F006C006400620065007200670000000000000008000000000000000000020030000000DF0708000400000000000000000000000000000000000000000000000700000001000000000000000000000030000100DF07080004000000000000000F002B0000000000000000000000000000000000010000000000000000000000
EmptyTemp:
end
  • Save the file to your desktop and name it as fixlist.txt
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
  • Run FRST.exe/FRST64.exe and press the Fix button just once and wait
  • If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
  • When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run.
Please copy and paste the log in your next reply.

<<<<<<<<<<

Please take note:
 

CHR dev: Chrome dev build detected! <======= ATTENTION

Unless you did this intensionally your Chrome has been hijacked.

In the next steps we will remove and re-install Chrome, therefore I advise you to save your bookmarks, since you will lose them during the process. The information for doing this can be found here.


Remove Google Chrome
  • Open the Start menu and click Control Panel.
  • Double-click Add or Remove Programs.
  • Select the following program:

    Google Chrome

  • Click Remove.
  • When asked if you want to uninstall, place a checkmark next to Also delete your browsing data and select Uninstall.
  • Reboot your computer.
Re-install Google Chrome, please do the following..
  • Click on the following link: Google Chrome.
  • Read the Terms of Service and select Accept and Install.
  • Save ChromeSetup.exe to your desktop.
  • Go to your desktop and double-click on ChromeSetup.exe.
  • Google Chrome will then install itself.
  • When the process is over, Chrome will open.
<<<<<<<<<<

We need to remove programs using "Programs and Features"

(Or you can use your RevoUnistallerPro)

Click the Start orb on the taskbar, and then click Control Panel.
  • If you use Category mode, click on Uninstall a Program.
  • If you use Icons mode, click on Program and Features.
A list of programs installed will be "populated" (this may take a bit of time).
If they exist, uninstall the following by clicking on the below entries and selecting "Remove":

globalupdate Helper
PCMATICPLUS


Additional instructions can be found here if needed.

<<<<<<<<<<

Re-run FRST, check the Addition.txt box, press SCAN and copy/paste the 2 logs in your next reply.

<<<<<<<<<<

With your next post please provide:
  • Answer to question
  • Fixlog
  • New FRST log
  • New Addition.txt
  • An update about the problems that persist
Kind regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#5 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 August 2015 - 09:32 PM

Here are the files.  To answer your questions, I did install those two programs you mentioned, though I can delete National instruments.

 

I have the known issue of "critical error, start menu and cortana are not working" and am looking for a fix.  I have to run command prompt as administrator and will have to look into how to do that, or have my machine know I'm administrator upon log in.  Anyway, I opened Programs and Features another way and also Revo Uninstaller and did NOT see Google Chrome nor PCMATICPLUS, but I did remove globaludate helper.  I do not use Chrome so I would like to delete it and not bother to reinstall.

 

For now my browsing seems to be fine with firefox and the new IE.  No hangups or ads popping up.

Attached Files



#6 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 07 August 2015 - 09:38 PM

p.s.  I'm still getting some pop ups, and some things on web pages are still highlighted with "adchoices" ads when I move the mouse over these words.



#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 07 August 2015 - 11:51 PM

Hi there.

I just wanted to make sure that those applications were installed purposely. Team Viewer in particular is legit but can be used for nefarious purposes by criminals. If you use them keep them and if not then uninstall.

<<<<<<<<<<
 

Critical error, start menu and cortana are not working



Yikes! Looks like there has yet to be a MS fix for this error.  I'm sure they will push out a fix soon.  I have upgraded 4 of my computers so far and they are running fine.  Lucky me.

You might want to familiarize yourself with these keyboard shortcuts in the meantime,

http://reviews.gizmodo.com/the-ultimate-guide-to-windows-10-keyboard-shortcuts-1720656591

<<<<<<<<<<
 

EmptyTemp: => 68 GB temporary data Removed



Looks like we freed up some space :thumbup2:

<<<<<<<<<<
 
Let's continue...
 
I want you to reset msconfig. This will allow the startup of some rogue files that I will then target for removal.

Press Windows Key+R to open the Run dialog box
Type msconfig in the run box
Choose startup
Then enable all
Then apply
 
<<<<<<<<<<

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here
  • When the download appears, save to the Desktop.
  • On the Desktop, right-click the Zoek.exe file and select: Run as Administrator (Give it a few seconds to appear.)
  • Next, copy/paste the entire script inside the code box below to the input field of Zoek:
autoclean;
  • Now...
  • Close any open Browsers.
  • Click the Run script button, and wait. It takes a few minutes to run all the script.
  • When the tool finishes, the zoek-results.log is opened in Notepad.
  • The log is also found on the systemdrive, normally C:\
  • If a reboot is needed, the log is opened after the reboot.
Please post the zoek-results.log in your reply.

<<<<<<<<<<

Please download Farbar Service Scanner, save it to your desktop then run it.
  • Make sure the following options are checked:

Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services

  • Press Scan
  • It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log in your reply.

<<<<<<<<<<
 
Please run MBAM. Looks like its already installed.

If not then download it again.

Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Double-click on the renamed file to install, then follow these instructions
  • for doing a Quick Scan in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A: 4. Issues
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

-- Some types of malware will target Malwarebytes and other security tools to keep them from running properly. If that's the case, use Malwarebytes Chameleon and follow the onscreen instructions. The Chameleon folder can be accessed by opening the program folder for Malwarebytes Anti-Malware (normally C:\Program Files\Malwarebytes' Anti-Malware or C:\Program Files (x86)\Malwarebytes' Anti-Malware).
 
<<<<<<<<<<

Uninstall Chrome Manually
  • Press Windows Key+R to open the Run dialog box, then copy & paste the command in the run box and press enter

    C:\Windows\System32\rundll32.exe shell32.dll,Options_RunDLL 0
  • Click the View tab
  • Make sure the Hide extensions for known file types checkbox is deselected
  • Next open Notepad
  • Copy/paste the following text inside the code box into a new notepad document.

    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ChromeHTML] 
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\chrome.exe] 
    [HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications]
    "Chrome"=-
    
    [-HKEY_CURRENT_USER\SOFTWARE\Classes\ChromeHTML] 
    [-HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet\chrome.exe] 
    [HKEY_CURRENT_USER\SOFTWARE\RegisteredApplications]
    "Chrome"=-
    
    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Chrome]
    [-HKEY_CURRENT_USER\Software\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    [-HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    
    [-HKEY_CURRENT_USER\Software\Google\Update\Clients\{00058422-BABE-4310-9B8B-B8DEB5D0B68A}]
    [-HKEY_CURRENT_USER\Software\Google\Update\ClientState\{00058422-BABE-4310-9B8B-B8DEB5D0B68A}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
  • Click File, then Save As...
  • Click Desktop on the left.
  • Under the Save as type dropdown, select All Files.
  • In the box File Name, input google.reg.
  • Click Save
  • Double click google.reg and answer Yes to the prompts. You should receive the message that the entries have been successfully merged. If not, post back with the error message.
  • Delete google.reg after use.
  • Next navigate to the chrome folder:

    C:\Users\Goldberg\AppData\Local\google\chrome
    • Delete the Chrome folder
  • Reboot your computer
<<<<<<<<<<

Re-run FRST, check the Addition.txt box, press SCAN and copy/paste the 2 logs in your next reply.

<<<<<<<<<<

With your next post please provide:
  • Zoek log
  • FSS log
  • MBAM log
  • FRST log
  • Addition log
  • An update about the problems that persist
Kind regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 08 August 2015 - 07:40 AM

Just to verify even though I have mbam you want me to download again per your instructions and that is why you want me to rename it before download?

#9 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 08 August 2015 - 08:05 AM

No. Please use your current application. If your application won't run then download again. If the new download won't run then use the renaming instructions.

Thanks
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#10 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 09 August 2015 - 07:22 AM

Hello,

 

Here are the latest files.  Also is a screenshot of the error I received when attempting to remove google chrome with the registry modification.

 

My system seems to be working OK now - what do the logs show?

Attached Files



#11 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 09 August 2015 - 09:52 AM

Well done :thumbup2:
 

My system seems to be working OK now

I am pleased to hear that.
 
<<<<<<<<<<
 

what do the logs show?

Almost clear.  Still some problems to address.  You were heavily infected but nothing dangerous or concerning.
 
<<<<<<<<<<
 

Also is a screenshot of the error I received when attempting to remove google chrome with the registry modification.

That error is related to the way you saved the script.  I have created and attached it for you. 

Please download Attached File  removechrome.reg   1.25KB   2 downloads to your desktop then double click to run. 

It shall inform you that the script merged successfully.

<<<<<<<<<<

Please reboot

<<<<<<<<<<
 
Next do this...

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings, then place a checkmark in the following:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
    • UNCHECK: Remove found threats (I don't want you to remove anything yet!!)
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Copy and paste the logfile in your reply for my review.

<<<<<<<<<<

Re-run FRST, check the Addition.txt box, press SCAN and attach the 2 logs in your next reply.

<<<<<<<<<<

With your next post please provide:
  • ESET log
  • FRST log
  • Addition log
  • An update about the problems that persist or any concerns
Kind regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#12 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 10 August 2015 - 03:10 PM

ESET is still running.  In the meantime I want to show you something.  Attached is a screen shot I took - see the green "network"?  When I hover my mouse over this a box from adchoices pops up with an ad for cisco servers.  Is this related to what is wrong with my system?

Attached Files



#13 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 10 August 2015 - 04:11 PM

Hi,

ESET takes a long time!

Yes. The DNS Unlocker application is Adware. Its an annoying rogue application that we will remove.

Post when ready.

Regards,
thcbytes
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#14 mickeddie12

mickeddie12
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:09 AM

Posted 10 August 2015 - 08:26 PM

Just an update - ESET has been running almost 24 hours and is at 16%.  (I think my system was asleep last night - I'll disable sleep mode tonight).



#15 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:09 AM

Posted 10 August 2015 - 10:10 PM

Is it still running?  Take a look in task manager or has it progressed past 16%?  The scan can take a long time but 24 hours is excessive.


Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users