Chrome Popups

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the area. Do not include the word Code.

Code:

:Files
C:\Windows\Tasks\{057E0D47-0405-7D0A-0411-0B0B080C1179}.job

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


Are these add on's still installed?

• NewTab
• New Tab Redirect
• Proxmate

 

@Kestrel13!, You need to check yourself!!! New FRST log for example.

You also did not request a new log from MGtools above so how will you know the task was removed! You need to always obtain follow up logs to verify fixes actually succeeded.

 

@
ruslinarchtw

• 
  
• Double-click FRST to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please upload it to your next reply.

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Don't forget the new FRST.txt

 

Hang in there, seeking advice.

 

How is Google Chrome behaving now?

 

Really?! Oh that is great news. Surf around a good while, post back later, let me know.

 

OK back to the drawing board.

Uninstall the below: (Using Revo Uninstaller)

• Google Chrome
• Google Earth Plug-in
• Google Update Helper

Once done, DO NOT reinstall it.... do this:

SystemLook

Please download SystemLook from one of the links below appropriate for your operating system and save it to your Desktop.
Download 32 Bit
Download 64 Bit

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  Code:

  :filefind
  Google
  Chrome
  :regfind
  Google
  Chrome

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Paste the following code under the area. Do not include the word Code.

Code:

:reg
[-HKEY_CURRENT_USER\Software\Google]
[-HKEY_CURRENT_USER\Software\Google\GoogleEarthPlugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GoogleUpdate.exe]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0b4d26f6-61a8-4463-99dd-5f2fe0400fa6}]

:Files
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\system32\tasks\GoogleUpdateTaskMachineCore
C:\Windows\system32\tasks\GoogleUpdateTaskMachineUA

:Commands
[emptytemp]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
• Push the large button.
• OTM may ask to reboot the machine. Please do so if asked.
• Copy everything in the Results window (under the green bar), and paste it into a text file to ATTACH into your next reply.

NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.




What are these?

C:\Windows\system32\tasks\klcp_update
C:\Windows\system32\tasks\Kurteg.bak
C:\Windows\system32\tasks\Nirlauxk.bak



Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista, Windows7 or Win8) Then attach the new C:\MGlogs.zip file that will be created by running this.

 

Delete them. Let me know if you have any issues.

C:\Windows\system32\tasks\Kurteg.bak
C:\Windows\system32\tasks\Nirlauxk.bak

lease disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
• O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

After clicking Fix exit HJT.

At this point, I want you to reinstall Google Chrome, but DO NOT let all your add on's go in. I want you to run Chrome bare so to speak, with no add ons at all, and see how it runs.

 

How is it behaving?

 

And you are running Google Chrome without any addons whatsoever installed??

 

Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.

Note: Make sure you download the correct version for your PC. Only the correct version will work.

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your next reply.
• The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

 

No worries, yes make sure all add ons and any kind of extensions have all been uninstalled.

 

Well now you may have to start by uninstalling all of Chrome again. The point here is to start from scratch with barebones Chrome. Looks to me like there are lots of unexpected items on that snapshot of the Chrome window which should not be there.

 

I am going to let Chaslang continue with you. I'm so sorry I couldn't be of more assistance to you.

 

Okay I'm going to assume that Chrome is still uninstalled. If it is not then please uninstall it. Your problem may not be malware but rather how you use your PC and what software you are running. You may be using some kind of sync program which is just reinstalling the issues from somewhere else. To that end, also please uninstall GoodSync now before continuing.

Download the attached fixlist.txt file found at the bottom of this message and save fixlist.txt on your Desktop. Make sure you save it as a txt file.

• You should now have both fixlist.txt and FRST64.exe on your Desktop.
• Now I want you to disconnect your PC connection to the internet by unplugging the cable ( if it is wireless then temporarily shutdown the wireless network ).
• Run FRST64.exe by right clicking on it and selecting Run As Adminstrator
• Click the Fix button just once and wait.
• Your computer should reboot after the fix runs.
• Reconnect your internet connection after reboot so you can come back here to continue.
• The tool will make a log on the Desktop (Fixlog.txt) please attach this new log to your next reply (attach or paste)

Now please Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of the code box
• Make sure that you scroll all the way to the bottom of the code box to get the whole fix!

Code:

:Processes
explorer.exe


:Files
C:\Program Files\Google\Drive\googledrivesync.exe
C:\Program Files\Google\Chrome
C:\Program Files\Google
C:\Windows\system32\tasks\{057E0D47-0405-7D0A-0411-0B0B080C1179}
C:\Windows\system32\tasks\{1D82369B-637B-45D3-A3AB-39EEDC80E462}
C:\Windows\system32\tasks\{1E161662-F75D-4AFD-BCD7-3F6338D0FC4A}
C:\Windows\system32\tasks\{2FE7C3FC-D243-419E-9B61-A9ECD23ABDBC}
C:\Windows\system32\tasks\{75114F12-3016-4418-8550-9E07A86DB710}
C:\Windows\system32\tasks\{D1C2B7A7-3A8E-45A3-A68F-A7F9B29C8BBA}
C:\task.vbs.193355.gzquar

:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\75665c90161cfda5]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\11598763487076930564]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011441179}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\AutorunsDisabled\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{0DAFD77F-8447-4C20-8428-0806BEA4DBEF}Machine\Software\Policies\Google\Chrome]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{8E2A4E15-C31F-482D-947C-87B401158EAF}Machine\Software\Policies\Google\Chrome]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Shockwave 12\3rdptycode\DeclineCount\Chrome]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\GoogleUpdate.exe]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=-
"DoNotAskAgain"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"=-
"DoNotAskAgain"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window under the yellow bar and choose Paste.
• Now click the large button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• Fixlog.txt
• the OTM log
• C:\MGlogs.zip

Please attach the above two log first before you continue with the below.

Also at this point, I want to double check the status of the FRST fix by having you run another scan with FRST and then attach the new FRST.txt log.

 

Looks like someone did at some time. Perhaps about 3 yrs ago per a couple items I see in the logs.

Can you delete the below folders?
C:\Users\russ\AppData\Roaming\GoodSync
C:\ProgramData\GoodSync


Are you having any problems right now with Firefox or Internet Explorer?

 

Were you able to find and delete those two folders I mentioned?

 

Okay then let's try a reinstall of Chrome now but you must make sure that you are not allowing any addons to be installed and it must not be resyncing to any data save elsewhere ( like with GoogleSync or other synchronizing software ) otherewise if some problem software is saved in the cloud, you would just be putting it back. Since IE and Firefox work fine, you problem is not due to malware. It is purely due to Chrome. If the problem comes back, I suggest using a better, safer, and easier to fix browser like IE.

 

OK. I'm still waiting on your response.