Chrome Popups

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ruslinarchtw, Feb 3, 2016.

  1. ruslinarchtw

    ruslinarchtw Private E-2

    have had this problem for 4 months a chrome tab opens up every now and them with some form of advertising on have followed all procedures a few times and it still comes back, tried safe mode have never had a virus(ect) before that i couldn't handle but this one has defeated me. i have left it on there because its not that annoying but time has come to reach out. Thank you for your help in advance.
     

    Attached Files:

  2. ruslinarchtw

    ruslinarchtw Private E-2

    sory fogot mglog. but hijackthis could not read/edit host file
     

    Attached Files:

  3. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hi and welcome. I am reviewing your logs and will post back soon.
     
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode. Any other mode is primarily used for troubleshooting and diagnostic purposes. You should look into some third party software to control start up's.

    You should begin by removing any cracked software you have like the below;)

    C:\Users\russ\Downloads\Atomix Virtual DJ Pro Infinity v8.0.2438 FINAL + Crack [TechTools.NET]\Atomix Virtual DJ Pro Infinity v8.0.2438 FINAL + Crack [TechTools.NET]\Plug-Ins\Virtual DJ Skins,samples\VirtualDJ\Plugins\SoundEffect\Adjustable Linear Sawtooth Flanger.dll
    C:\Users\russ\Downloads\programs\Xfer Records Cthulhu v1.03 WiN MAC OSX-UNION [deepstatus][h33t][1337x][flashtorrents]\Cthul\Xfer.Records.Cthulhu.v1.03-UNION\Install_Xfer_Cthulhu_103.exe



    Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7/8 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Tasks tab and locate these detections:

    • [Suspicious.Path] \4642 -- wscript.exe (C:\Users\russ\AppData\Local\Temp\launchie.vbs //B) -> Found
    • [Suspicious.Path] \GNU_635864330117947750 -- C:\Users\russ\AppData\Roaming\SafeWeb\gsw.exe -> Found

    Place a checkmark next to each of these items, leave the others unchecked.
    Now press the Delete button.


    ...and the same for these entries on the Registry tab please...

    • Suspicious.Path] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BdProcMon (\??\C:\Users\russ\AppData\Local\Temp\nsl12B1.tmp\BdProcMon.sys) -> Found
    • [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet001\Services\BdProcMon (\??\C:\Users\russ\AppData\Local\Temp\nsl12B1.tmp\BdProcMon.sys) -> Found
    • [Suspicious.Path] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\BdProcMon (\??\C:\Users\russ\AppData\Local\Temp\nsl12B1.tmp\BdProcMon.sys) -> Found

    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.



    Do you know what these are?

    C:\Users\russ\AppData\Local\Ho.dat
    C:\Users\russ\AppData\Local\Ring.dat
    C:\Users\russ\AppData\Local\SFX.db
    C:\Users\russ\AppData\Local\VD.db
    C:\Users\russ\AppData\Local\VDX.db
    C:\Users\russ\AppData\Local\WIX.db
    C:\Users\russ\AppData\Local\WPX.db

    C:\ProgramData\161cfda5-1ee3-0
    C:\ProgramData\161cfda5-5921-1
    C:\ProgramData\161cfda5-7875-1


    Download and run OTM.


    Download OTM by Old Timer and save it to your Desktop.

    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :reg
    [-HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}]
    [-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179}]
    [-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{444785F1-DE89-4295-863A-D46C3A781394}]
    [-HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CHERIMOYA]
    [-HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CHERIMOYA]
    [-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CHERIMOYA]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Re run RogueKiller (just a scan) and upload log.
    Same for Hitman Pro.
    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running!
     
  5. ruslinarchtw

    ruslinarchtw Private E-2

    ok have followed all procedures heres new logs.
    Do you know what these are?

    C:\Users\russ\AppData\Local\Ho.dat
    C:\Users\russ\AppData\Local\Ring.dat
    C:\Users\russ\AppData\Local\SFX.db
    C:\Users\russ\AppData\Local\VD.db
    C:\Users\russ\AppData\Local\VDX.db
    C:\Users\russ\AppData\Local\WIX.db
    C:\Users\russ\AppData\Local\WPX.db

    C:\ProgramData\161cfda5-1ee3-0
    C:\ProgramData\161cfda5-5921-1
    C:\ProgramData\161cfda5-7875-1

    NO IDEA!!!!!

    thankyou for your help i will have to wait now to see if fixed should know within 48 hours i will let you know.
     

    Attached Files:

    Kestrel13! likes this.
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Download OTL to your desktop.



    We need to run an OTL Fix


    • Right-click OTL.exe to run it as admin. If Windows UAC prompts you, please allow it.
    • Copy and Paste the following code into the textbox. Do not include the word Code
    Code:
    :reg
    [-HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CHERIMOYA]
    [-HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CHERIMOYA]
    [-HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CHERIMOYA]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
    [-HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113}]
    
    :files
    C:\Users\russ\AppData\Local\Ho.dat
    C:\Users\russ\AppData\Local\Ring.dat
    C:\Users\russ\AppData\Local\SFX.db
    C:\Users\russ\AppData\Local\VD.db
    C:\Users\russ\AppData\Local\VDX.db
    C:\Users\russ\AppData\Local\WIX.db
    C:\Users\russ\AppData\Local\WPX.db
    C:\ProgramData\161cfda5-1ee3-0
    C:\ProgramData\161cfda5-5921-1
    C:\ProgramData\161cfda5-7875-1
    
    :commands
    [EMPTYTEMP]
    [RESETHOSTS]
    [REBOOT]
    • Then click the Run Fix button at the top.
    • Click Image.
    • OTL may ask to reboot the machine. Please do so if asked.
    • The report should appear in Notepad after the reboot. ATTACH that report in your next reply.


    Re run Hitman Pro and upload fresh log.
     
  7. ruslinarchtw

    ruslinarchtw Private E-2

    it came back ahhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh!!!!!! this is the page (snip) i am working tonight but can get on it tommrow
     
    Last edited by a moderator: Feb 5, 2016
  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, catch you again tomorrow. :)
     
  9. ruslinarchtw

    ruslinarchtw Private E-2

    ok back on the case got another 888 casino popup
     
  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You need to follow my instructions, ruslinarchtw....
     
  11. ruslinarchtw

    ruslinarchtw Private E-2

    sory didnt see last instructions here are the new logs
     

    Attached Files:

  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

    Note: Make sure you download the correct version for your PC. Only the correct version will work.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
    • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
     
  13. ruslinarchtw

    ruslinarchtw Private E-2

    here are the logs
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Hang in there, I'm just cooking my meal for tonight. Will make a response soon.
     
  15. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTE: This script was written specifically for this user for use on this particular computer. Running this on another machine may cause damage to your operating system.
    Download Fixlist.txt

    Save fixlist.txt on your Desktop. Make sure you save it as a txt file.

    • You should now have both fixlist.txt and FRST.exe on your Desktop.
    • Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
    • Run FRST.exe by right clicking on it and selecting Run As Adminstrator
    • Click the Fix button just once and wait.
    • Your computer should reboot after the fix runs.
    • Reconnect your internet connection after reboot so you can come back here to continue.
    • The tool will make a log on the Desktop (Fixlog.txt) please upload this new log to your next reply
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    • Fixlog.txt
    • C:\MGlogs.zip
    Please attach the above two log first before you continue with the below.
    Also at this point, I want to double check the status of things by having you run another scan with FRST like in my last message and attach the new FRST.txt and Addition.txt logs.

    Re run Hitman Pro and upload new log.
     

    Attached Files:

  16. ruslinarchtw

    ruslinarchtw Private E-2

    firsts logs
     

    Attached Files:

  17. ruslinarchtw

    ruslinarchtw Private E-2

    second logs
     

    Attached Files:

  18. ruslinarchtw

    ruslinarchtw Private E-2

    hitman log
     

    Attached Files:

  19. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    How do you feel about going into the Windows Registry and making some deletions?
     
  20. ruslinarchtw

    ruslinarchtw Private E-2

    why what have you spotted.... ok
     
  21. ruslinarchtw

    ruslinarchtw Private E-2

    i could always back up reg first
     
    Kestrel13! likes this.
  22. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    What Hitman is finding needs removing... my auto fixes have failed so far.

    Code:
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CHERIMOYA\ (Shopperz)
      HKLM\SYSTEM\ControlSet002\Enum\Root\LEGACY_CHERIMOYA\ (Shopperz)
      HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CHERIMOYA\ (Shopperz)
      HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B} (Claro)
      HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975} (Claro)
      HKU\S-1-5-21-1835553702-4148024590-2211200516-1001\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} (FLV Player)
     
  23. ruslinarchtw

    ruslinarchtw Private E-2

    It will not let me delete access denied tried in safe mode as well
     
  24. ruslinarchtw

    ruslinarchtw Private E-2

    ok all deleted heres the new hitman log
     

    Attached Files:

  25. ruslinarchtw

    ruslinarchtw Private E-2

    and its back again
     
  26. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Is Google Chrome the only browser you're having issues with?
     
  27. ruslinarchtw

    ruslinarchtw Private E-2

    yes just done another rouge killer do you want that log has a few items
     
  28. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Yes you might as well upload it.
     
  29. ruslinarchtw

    ruslinarchtw Private E-2

    log
     

    Attached Files:

  30. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    That's not a Roguekiller log....
     
  31. ruslinarchtw

    ruslinarchtw Private E-2

    sory
     

    Attached Files:

  32. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  33. ruslinarchtw

    ruslinarchtw Private E-2

    reset chrome just had another popup
     
  34. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Time to back up Chrome bookmarks etc...

    Uninstall the below using >>> Revo Uninstaller:

    • Google Chrome
    • Google Earth Plug-in
    • Google Update Helper

    Reboot... now do this.... Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

    Do NOT reinstall anything YET!!!
     
  35. ruslinarchtw

    ruslinarchtw Private E-2

    mg log
     

    Attached Files:

  36. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.


    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.



    SystemLook

    Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
    Download 32 Bit
    Download 64 Bit

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
      Google
      :regfind
      Chrome
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  37. ruslinarchtw

    ruslinarchtw Private E-2

    syslook log
     

    Attached Files:

  38. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    And are other browsers okay? (IE and Firefox?)
     
  39. ruslinarchtw

    ruslinarchtw Private E-2

    Yes but change default browser to firefox so will know by tomorrow
     
  40. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK let me know how other browsers are acting as soon as you can. It's late here and I shall be going to be shortly.
     
  41. ruslinarchtw

    ruslinarchtw Private E-2

    all day and no popups on other browsers. had ff an ie on all night and day 15h+ normally would have had one by now
     
  42. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Reinstall Google Chrome at this point and let me know how you get on.
     
  43. ruslinarchtw

    ruslinarchtw Private E-2

    cool have done will lyk working all weekend so all quiet till monday sory unless happens in next few hours
     
  44. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    OK, best of luck :)
     
  45. ruslinarchtw

    ruslinarchtw Private E-2

    they come back again
     
  46. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    When you say 'they come back again' can you elaborate please?

    Also you said:

    Is this new tab still opening? If so screenshot it for me please.
     
  47. ruslinarchtw

    ruslinarchtw Private E-2

    here is the offender it just pops up on new tab no warning ive even caught it opening up chrome to do it
     

    Attached Files:

  48. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

  49. ruslinarchtw

    ruslinarchtw Private E-2

    ok they popped up again in a new window not tab they opened there own session of chrome two of them
     

    Attached Files:

  50. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds