Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Chrome malware putting "Click to continue > by provider" icons everywhere


  • This topic is locked This topic is locked
22 replies to this topic

#1 ErnestJB

ErnestJB

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 02 May 2016 - 11:56 PM

Hi, my Google Chrome became infected with what I think is malware.  It comes and goes, but it puts icons containing green squares with an arrow in the center in various places and creates hyperlinks on various text that aren't normally there.  It also redirects me to various websites and causes pop-up ads to appear.  How can I get rid of this?  Thanks.  --Ben.



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 03 May 2016 - 03:16 AM

Hello Ben and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested

===================================================

Note: Please follow these instructions in the order given.

===================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner by clicking on Scan
  • when it has finished, leave everything that was found checked, (ticked), then click on Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

===================================================

Download and run Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

  • shut down your protection software now to avoid potential conflicts.
  • run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator"
  • the tool will open and start scanning your system
  • please be patient as this can take a while to complete depending on your system's specifications
  • on completion, a log (JRT.txt) is saved to your desktop and will automatically open
  • post the contents of JRT.txt into your next message.

===================================================

Run Farbar Recovery Scan Tool

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • press Scan button
  • it will produce a log called Frst.txt in the same directory the tool is run from
  • please copy and paste log back here.
  • the first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the Frst.txt into your reply.

================================================

Logs to include with next post:

AdwCleaner log
JRT.txt
Frst.txt
Addition.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 03 May 2016 - 11:51 AM

Thanks for helping me.  The log files are attached.  It looks like two log files were created by AdwCleaner (AdwCleaner[C2].txt and AdwCleaner[S3].txt), so I've attached both of them.  Thanks again.  --Ben. 

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 03 May 2016 - 05:03 PM

I think that uninstalling Chrome may the best answer. You cannot remove some Chrome problems except with an uninstall/re-install of Chrome, (even though Google have been aware of this since 2008 and haven't bothered to do anything about it).

Uninstall/Reinstall Google Chrome

First save all your bookmarks/favourites.

  • open Chrome, click on the 3 bars in the top right hand corner, select Bookmarks and then Bookmarks Manager
  • click on Organise and then select Export Bookmarks to HTML file, then choose Desktop to save it
  • again, click on the three bars in the top right hand corner and select Settings
  • in the list of Settings under “Sign in” click on Disconnect your Google Account – (if “Disconnect your Google Account” is not there, you will have to sign in using your Chrome username and password first to make it visible)
  • in the text of the next window click on “Google Dashboard” then, at the “Chrome sync” screen, click on Stop and Clear at the bottom
  • a box will open and ask for confirmation, click on OK (wait for this to complete before doing the next step)
  • when confirmation appears close that page and then click on Disconnect account
  • shut Google Chrome, click on Start > Control Panel > Programs and Features (or Add/Remove Programs in XP) and uninstall Google Chrome. Select Everything for removal if asked.

Reboot the system and then reinstall Google Chrome from here

Repeat the process to reinstate your bookmarks by going to Bookmarks > Bookmarks Manager > Organise and select Import Bookmarks.

Let me know if that has solved the problem.

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 May 2016 - 01:18 AM

I think that did it!  Thanks for your help!  --Ben.



#6 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 04 May 2016 - 06:25 AM

We're not finished yet as there were other entries in your FRST log.

 

Please run Farbar Recovery Scan tool again and post the new FRST.txt.

 

Thanks

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 May 2016 - 10:58 AM

Ok, here you go.  

Attached Files

  • Attached File  FRST.txt   46.14KB   3 downloads


#8 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 04 May 2016 - 11:22 AM

Did you set this intentionally?

 

ProxyServer: [S-1-5-21-1692041096-203088739-4077570711-1001] => 127.0.0.1:8118


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 May 2016 - 11:25 AM

I don't think so.  What does that line mean?  I frequently use a university libraries proxy bookmark tool for access to scholarly journals, but I don't know if that is related to that line in the log file. 



#10 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 04 May 2016 - 02:58 PM

It could be to do with that but it’s no problem removing it as it will be reset if needed.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.

() C:\Users\Ben\AppData\Roaming\Internet Defrag\Internet Defrag.exe
HKLM-x32\...\Run: [mcui_exe] => "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
ProxyServer: [S-1-5-21-1692041096-203088739-4077570711-1001] => 127.0.0.1:8118
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-1692041096-203088739-4077570711-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
DPF: HKLM-x32 {4FF78044-96B4-4312-A5B7-FDA3CB328095}
2016-04-24 15:07 - 2016-04-24 15:07 - 00003626 _____ C:\WINDOWS\System32\Tasks\Internet Defrag
2016-04-24 15:07 - 2016-04-24 15:07 - 00003288 _____ C:\WINDOWS\System32\Tasks\Internet Defrag Logon
2016-04-24 15:07 - 2016-04-24 15:07 - 00000000 ____D C:\Users\Ben\AppData\Roaming\Internet Defrag
Task: {F2E83CD0-DB68-4638-BF20-0BB9BEA8DE61} - System32\Tasks\Internet Defrag => C:\Users\Ben\AppData\Roaming\Internet Defrag\Internet Defrag.exe [2016-04-24] () <==== ATTENTION
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcpltsvc => ""=""
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mcpltsvc => ""=""
C:\Users\Ben\AppData\Roaming\Internet Defrag
C:\Program Files\McAfee.com
C:\Users\Ben\AppData\Local\Temp\BE42.tmp.exe
C:\Users\Ben\AppData\Local\Temp\EB9C.tmp.exe
C:\Users\Ben\AppData\Local\Temp\GPUpd5725AB9E0.exe
C:\Users\Ben\AppData\Local\Temp\GPUpd5725ABA10.exe
C:\Users\Ben\AppData\Local\Temp\GURCD92.exe
C:\Users\Ben\AppData\Local\Temp\i4jdel0.exe
C:\Users\Ben\AppData\Local\Temp\jre-8u73-windows-au.exe
C:\Users\Ben\AppData\Local\Temp\neoNCSetup64.exe
C:\Users\Ben\AppData\Local\Temp\pyl75F1.tmp.exe
C:\Users\Ben\AppData\Local\Temp\Risweb32.exe
C:\Users\Ben\AppData\Local\Temp\SPSetup.exe
C:\Users\Ben\AppData\Local\Temp\xmlUpdater.exe
cmd: netsh winsock reset catalog
cmd: ipconfig /flushdns
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log on your desktop, (Fixlog.txt); please post it to your reply.

================================================

Download Malwarebytes-Anti-Malware

Click here.

  • double-click mbam-setup.exe and follow the prompts to install the program – (Note: Vista & Windows 7, 8, 10 users, please right-click and select “Run as Administrator”)
  • select the “Scan” tab at the top
  • there are three scan types; choose Threat Scan, then click on Scan
  • when the scan is complete, if no malicious items are found you can close the program
  • if malicious items are found be sure that everything is checked and click Quarantine
  • when removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • the log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • copy and paste the contents of that report in your next reply and exit MBAM.

NOTE: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Logs to include with the next post:

Fixlog.txt
Mbam.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 May 2016 - 04:13 PM

MBAM removed 37 malicious items.  The log file I found was mbam-log-2016-05-04.xml.  The attach tool wouldn't let me attach the mbam file so I copied and pasted it below like you requested.  The Fixlog.txt file is attached.  

 

<?xml version="1.0" encoding="UTF-16" ?>
<mbam-log>
<header>
<date>2016/05/04 16:34:15 -0400</date>
<logfile>mbam-log-2016-05-04 (16-33-58).xml</logfile>
<isadmin>yes</isadmin>
</header>
<engine>
<version>2.2.1.1043</version>
<malware-database>v2016.05.04.06</malware-database>
<rootkit-database>v2016.04.17.01</rootkit-database>
<license>free</license>
<file-protection>disabled</file-protection>
<web-protection>disabled</web-protection>
<self-protection>disabled</self-protection>
</engine>
<system>
<hostname>IDEA-PC</hostname>
<ip>192.168.1.85</ip>
<osversion>Windows 8</osversion>
<arch>x64</arch>
<username>Ben</username>
<filesys>NTFS</filesys>
</system>
<summary>
<type>threat</type>
<result>completed</result>
<objects>441186</objects>
<time>1247</time>
<processes>0</processes>
<modules>0</modules>
<keys>4</keys>
<values>9</values>
<datas>0</datas>
<folders>2</folders>
<files>22</files>
<sectors>0</sectors>
</summary>
<options>
<memory>enabled</memory>
<startup>enabled</startup>
<filesystem>enabled</filesystem>
<archives>enabled</archives>
<rootkits>disabled</rootkits>
<deeprootkit>disabled</deeprootkit>
<heuristics>enabled</heuristics>
<pup>enabled</pup>
<pum>enabled</pum>
</options>
<items>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32LDR  </path><vendor>PUP.Optional.Trovi</vendor><action>success</action><hash>b1354d84b4e559dd86e515490ef69070</hash></key>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}</path><vendor>PUP.Optional.SearchProtect.AppFlsh</vendor><action>success</action><hash>b630d2ffa0f96cca51eee0c00afaeb15</hash></key>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}</path><vendor>PUP.Optional.SearchProtect.AppFlsh</vendor><action>success</action><hash>e2040bc68e0bbe78d46c257bf2128878</hash></key>
<key><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{50333BE1-3847-4C6D-BDE3-78774B091C21}</path><vendor>PUP.Optional.PriceFountain</vendor><action>success</action><hash>ca1ca9281485fe385416dfd380840cf4</hash></key>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\chrome.exe</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>a343fad7d4c5c670ff6bfe60b054fa06</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\explorer.xxx</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>43a3e4edeaafdf57ea80bf9fb450d030</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\firefox.exe</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>40a6f9d86d2cd066aac00b53897b49b7</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\iexplore.exe</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>8a5c8e43c7d2b97d6307095556aeb34d</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_removal_tool.exe</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>d115c1107722d1653c2e243a0103f709</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_reporter_tool.exe</path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>33b3b21f9bfe69cde684a1bdb64ea957</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32Ldr  </path><valuename>{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb</valuename><vendor>PUP.Optional.Trovi</vendor><action>success</action><valuedata>130782077228639085</valuedata><hash>b1354d84b4e559dd86e515490ef69070</hash></value>
<value><path>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{50333BE1-3847-4C6D-BDE3-78774B091C21}</path><valuename>Path</valuename><vendor>PUP.Optional.PriceFountain</vendor><action>success</action><valuedata>\Microsoft\Windows\Setup\8.1 auto install v2</valuedata><hash>ca1ca9281485fe385416dfd380840cf4</hash></value>
<value><path>HKU\S-1-5-21-1692041096-203088739-4077570711-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ABOUTURLS</path><valuename>Tabs</valuename><vendor>PUP.Optional.GoSearchMe</vendor><action>success</action><valuedata>https://gosearch.me/?u=1cbe5f00a142e390bce226510d809a6d&amp;c=gpupdater&amp;src=hp&amp;inst=1462259360</valuedata><hash>974f60710297c76f42fc88b4917305fb</hash></value>
<folder><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></folder>
<folder><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></folder>
<file><path>C:\Program Files (x86)\Keyboard Updater\KeyboardUpdater.exe</path><vendor>Trojan.Downloader</vendor><action>success</action><hash>11d5c40d7d1c0c2afddefa3cca38a55b</hash></file>
<file><path>C:\Users\Ben\Downloads\FileZilla_3.9.0.3_win32-setup.exe</path><vendor>PUP.Optional.InstallCore</vendor><action>success</action><hash>d115735e1c7d7abc568bcf839e636b95</hash></file>
<file><path>C:\Users\Ben\Downloads\FileZilla_3.9.0.5_win32-setup (1).exe</path><vendor>PUP.Optional.InstallCore</vendor><action>success</action><hash>f4f214bd7524ee4848b45c0ab34eac54</hash></file>
<file><path>C:\Users\Ben\Downloads\fl_setup.exe</path><vendor>PUP.Optional.IBryte</vendor><action>success</action><hash>875fc908c0d9bf7703fef8fd728e6b95</hash></file>
<file><path>C:\Users\Ben\Downloads\winzip180.exe</path><vendor>PUP.Optional.InstallCore</vendor><action>success</action><hash>d61021b0108967cf73a1ce39ec196f91</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1422951654062</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>26c028a9a5f4a591fb3b7ea161a1946c</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1421242179397</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>5b8b8f42c0d95bdb1026100f7c8637c9</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1423578643374</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>0bdbffd2960346f0cf67a27d4bb77f81</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1424361937080</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>16d08c45acedaa8c62d44cd3ea1819e7</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1424876599290</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>ffe7ad24bfda9c9a21152ef109f916ea</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1426703023533</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>04e2b21fe4b5c76fb77f3ce3e41ec13f</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1427208335006</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>43a3def398016cca87af46d9fc06dc24</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1429025322632</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>5195666bedac10265bdb8897f80a4db3</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1430748919490</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>1ec8cd048a0f40f625117ca319e99b65</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1432116661486</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>a442fdd4f6a3d363a39327f811f143bd</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1432172173408</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>12d4c70a4b4eab8b092d1609a06258a8</hash></file>
<file><path>C:\Windows\apppatch\apppatch64\VCLdr64.dll_1433496512766</path><vendor>PUP.Optional.SearchProtect</vendor><action>success</action><hash>20c61fb244558caa6bcb8b94d929f808</hash></file>
<file><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\chrome.manifest</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></file>
<file><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\install.rdf</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></file>
<file><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\load.js</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></file>
<file><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\overlay.xul</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></file>
<file><path>C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\style.css</path><vendor>PUP.Optional.Helper</vendor><action>success</action><hash>2db94e8392072511498aa49ed42f7d83</hash></file>
</items>
</mbam-log>

Attached Files



#12 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 04 May 2016 - 05:00 PM

You did well with the FRST "fix".

 

I’d like to see the Malwarebytes log as a text file as it doesn’t appear that anything was fixed from the one you sent.

  • open Malwarebytes and click on the “History” tab
  • on the left click on Application Logs
  • locate the log from the first run and click on it to open it
  • click on Export and choose .txt file
  • please copy and paste the results in your reply.

Thanks
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 04 May 2016 - 05:09 PM

Here it is, pasted below and attached.
 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 5/4/2016
Scan Time: 4:34 PM
Logfile: mbam-log.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.05.04.06
Rootkit Database: v2016.04.17.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 8
CPU: x64
File System: NTFS
User: Ben
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 441186
Time Elapsed: 20 min, 47 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 4
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32LDR  , Quarantined, [b1354d84b4e559dd86e515490ef69070], 
PUP.Optional.SearchProtect.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}, Quarantined, [b630d2ffa0f96cca51eee0c00afaeb15], 
PUP.Optional.SearchProtect.AppFlsh, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\INSTALLEDSDB\{cf2797aa-b7ec-e311-8ed9-005056c00008}, Quarantined, [e2040bc68e0bbe78d46c257bf2128878], 
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{50333BE1-3847-4C6D-BDE3-78774B091C21}, Quarantined, [ca1ca9281485fe385416dfd380840cf4], 
 
Registry Values: 9
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\chrome.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [a343fad7d4c5c670ff6bfe60b054fa06]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\explorer.xxx|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [43a3e4edeaafdf57ea80bf9fb450d030]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\firefox.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [40a6f9d86d2cd066aac00b53897b49b7]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\iexplore.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [8a5c8e43c7d2b97d6307095556aeb34d]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_removal_tool.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [d115c1107722d1653c2e243a0103f709]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\software_reporter_tool.exe|{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [33b3b21f9bfe69cde684a1bdb64ea957]
PUP.Optional.Trovi, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\APPCOMPATFLAGS\CUSTOM\LAYERS\VC32Ldr  |{8a4d5a43-c64a-45ab-bdf4-804fe18ceafd}.sdb, 130782077228639085, Quarantined, [b1354d84b4e559dd86e515490ef69070]
PUP.Optional.PriceFountain, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{50333BE1-3847-4C6D-BDE3-78774B091C21}|Path, \Microsoft\Windows\Setup\8.1 auto install v2, Quarantined, [ca1ca9281485fe385416dfd380840cf4]
PUP.Optional.GoSearchMe, HKU\S-1-5-21-1692041096-203088739-4077570711-1001\SOFTWARE\MICROSOFT\INTERNET EXPLORER\ABOUTURLS|Tabs, https://gosearch.me/?u=1cbe5f00a142e390bce226510d809a6d&c=gpupdater&src=hp&inst=1462259360, Quarantined, [974f60710297c76f42fc88b4917305fb]
 
Registry Data: 0
(No malicious items detected)
 
Folders: 2
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
 
Files: 22
Trojan.Downloader, C:\Program Files (x86)\Keyboard Updater\KeyboardUpdater.exe, Quarantined, [11d5c40d7d1c0c2afddefa3cca38a55b], 
PUP.Optional.InstallCore, C:\Users\Ben\Downloads\FileZilla_3.9.0.3_win32-setup.exe, Quarantined, [d115735e1c7d7abc568bcf839e636b95], 
PUP.Optional.InstallCore, C:\Users\Ben\Downloads\FileZilla_3.9.0.5_win32-setup (1).exe, Quarantined, [f4f214bd7524ee4848b45c0ab34eac54], 
PUP.Optional.IBryte, C:\Users\Ben\Downloads\fl_setup.exe, Quarantined, [875fc908c0d9bf7703fef8fd728e6b95], 
PUP.Optional.InstallCore, C:\Users\Ben\Downloads\winzip180.exe, Quarantined, [d61021b0108967cf73a1ce39ec196f91], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1422951654062, Quarantined, [26c028a9a5f4a591fb3b7ea161a1946c], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1421242179397, Quarantined, [5b8b8f42c0d95bdb1026100f7c8637c9], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1423578643374, Quarantined, [0bdbffd2960346f0cf67a27d4bb77f81], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1424361937080, Quarantined, [16d08c45acedaa8c62d44cd3ea1819e7], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1424876599290, Quarantined, [ffe7ad24bfda9c9a21152ef109f916ea], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1426703023533, Quarantined, [04e2b21fe4b5c76fb77f3ce3e41ec13f], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1427208335006, Quarantined, [43a3def398016cca87af46d9fc06dc24], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1429025322632, Quarantined, [5195666bedac10265bdb8897f80a4db3], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1430748919490, Quarantined, [1ec8cd048a0f40f625117ca319e99b65], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1432116661486, Quarantined, [a442fdd4f6a3d363a39327f811f143bd], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1432172173408, Quarantined, [12d4c70a4b4eab8b092d1609a06258a8], 
PUP.Optional.SearchProtect, C:\Windows\apppatch\apppatch64\VCLdr64.dll_1433496512766, Quarantined, [20c61fb244558caa6bcb8b94d929f808], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\chrome.manifest, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\install.rdf, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\load.js, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\overlay.xul, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
PUP.Optional.Helper, C:\Users\Ben\AppData\Roaming\Mozilla\Firefox\Profiles\hks4wor7.default\extensions\firefox@helper2\content\style.css, Quarantined, [2db94e8392072511498aa49ed42f7d83], 
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

Attached Files



#14 satchfan

satchfan

  • Malware Response Team
  • 2,668 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:06:36 PM

Posted 05 May 2016 - 10:38 AM

Thanks.

There was a lot found so let’s run an online scan to be sure nothing is left and if that’s clear I’ll send instructions to tidy up.


Run ESET Online Scan

Note: This may take a long time so please be patient.

IMPORTANT Please make sure you uncheck the box next to Remove found threats. Eset will detect anything that looks even slightly suspicious, which could include legitimate program files. If you do not uncheck the box, Eset will automatically remove all suspicious files which could leave some of your software inoperable.

Note: You can use Internet Explorer, FireFox or Chrome for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Hold down Control and click on the following link to open ESET OnlineScan in a new window.

ESET OnlineScan

  • click the Run Eset online Scanner button
  • for alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    o    click on esetinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    o    double click on the Eset installer icon on your desktop.
     

  • check Yes, I accept the Terms of Use
  • click the Start button
  • accept any security warnings from your browser
  • check Enable detection of potentially unwanted applications
  • click Advanced settings and select the following:


    o    scan archives
    o    scan for potentially unsafe applications
    o    enable Anti-Stealth technology


    Note: Do not check Remove found threats
     

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • when the scan completes, push List of found threats
  • push Export to Text file and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.


    Note - if ESET doesn't find any threats, no report will be created.
     

  • push the back button.
  • push Finish

When the scan is complete:


If no threats were found:

o    put a checkmark in "Uninstall application on close"
o    close program
o    report to me that nothing was found.
 

If threats were found:


o    click on "list of threats found"
o    click on "export to text file" and save it as ESET results and save to the desktop
o    click on back
o    put a checkmark in "Uninstall application on close"
o    click on finish
o    close program
o    copy and paste the report here.
 

Thanks

Satchfan

 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#15 ErnestJB

ErnestJB
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:06:36 PM

Posted 06 May 2016 - 11:18 AM

There were threats found.  The file is attached.  The malware isn't completely removed from my computer, but it seems like some is removed.  It comes and goes.  The original issue I posted about still happens occasionally.  When it does, there will be a new button on the top right of Chrome beside the three horizontal lines that has a number, which is the number of unwanted programs running.  If I click it, I get the option to remove them from Chrome.  Doing this fixes the problem temporarily, but they come back eventually.  It is less frequent, and it doesn't completely take over my browser like it did before, so it is getting better.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users