IE seems ok, Chrome still infected

Discussion in 'Malware Help (A Specialist Will Reply)' started by nazgurl, Aug 7, 2015.

  1. nazgurl

    nazgurl Private E-2

    i am running Windows 7 (64x) and have gotten bit by the yahoo/adware malware.
    I have done all the steps in "General Housekeeping", "DNS hijack" the JRT (log attached) ans Kaspersky TDSSS (also attached). It's also screwed up the Word Starter and keeps shutting it down.

    Chrome reverts to the Yahoo homepage every time I've opened it to check if a fix has worked.

    IE seems clean (it doen't automatically revert to Yahoo) but I do get a yellow box at the bottom saying "Control Name is Not Available" "from Not Available" and it asks me to allow or allow always. I have just clicked the X and killed the window.

    At the beginning I deleted the other user accounts so there is now only my mom's and guest options. Her User Account "CAM" shows 14 things that say ntuser.dat and then on into more and more complicated names.

    I am at Step 6 in the READ ME and ready to start installing but not configuring some tools/software. It's too late for me to get into anything tonight so I've stopped and am going to shut down.

    I don't think I have a full Virus protection on this but, she's running IObit's Malware and Uninstall, Smart Defrag 4, Malwarebytes, Advanced System Care 8 and McAffey Security Scan Plus. IObit's Uninstall took out "bestadblocker", Bitlyunleash..." and "Cuttheprice"

    In the course of trying to fix this I have also downloaded the JRT, TDSSKiller and CCleaner. Piriform CCleaner showed no issues.

    Please help as this is my elderly mom's computer and it keeps her connected to the world. Thanks in advance!

    (ps) is it okay if she uses the yahoo redirect for internet access or should we not use the machine at all?
     

    Attached Files:

    nazgurl, Aug 7, 2015
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Please attach the logs we request and please attach them in the format specified in the cleaning procedures. Please do not convert the logs to word documents.

    You need to attach logs from the below:
    • Hitman Pro
    • RogueKiller
    • Malwarebytes
    • MGtools
     
    chaslang, Aug 7, 2015
    #2
  3. nazgurl

    nazgurl Private E-2

    Chaslang- first, thank you.

    I've attached the logs from Hitman Pro, Rogue Killer, Malware Bytes and MG Tool. There are 5 logs from Malware bytes bc my mom tried to fix it on her own, so there are 2 from Aug 5, two Aug 6 and today's log. I have only attached today's scan log, I will post the others just after this.

    Before I found these instructions/support thread I uninstalled Chrome bc that was the browser which seemed most affected.

    At this point she's running IE only and each webpage has a yellow pop-up bar at the bottom that says "This webpage wants to run the following add-on 'Control name is not available' from 'Not Available'"with the options to allow, allow for all websites, or the X to close the window. I've asked her to just close that message every time it comes up- we haven't allowed it.

    Also the lag time between getting the Windows Explorer/Desktop and its usability is @ 3-5 minutes - the hourglass just keeps going.

    Thanks again.
     

    Attached Files:

    nazgurl, Aug 8, 2015
    #3
  4. nazgurl

    nazgurl Private E-2

    Previous MB logs, 8/5 and 8/6.
     

    Attached Files:

    nazgurl, Aug 8, 2015
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run Hitman Pro again and activate the 30 day trial. Use it to remove all the Potential Unwanted Programs it reports. Then immediately reboot.

    After reboot, run a new scan with Hitman Pro and attach the new log.


    Uninstall the below outdated Java versions:
    Java 7 Update 67
    Java(TM) 6 Update 22
    Java(TM) 6 Update 25

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe
 
:Files
c:\programdata\{d1889d12-f669-e698-d188-89d12f66744b}\gapps-kk-20131209.zip.exe
c:\programdata\{d1889d12-f669-e698-d188-89d12f66744b}
C:\windows\tasks\VideoKeep.job
C:\windows\system32\tasks\SpyHunter4Startup
C:\windows\system32\tasks\VideoKeep
C:\Users\Cam\AppData\Local\Temp\*.*
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXT log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Aug 10, 2015
    #5
  6. nazgurl

    nazgurl Private E-2

    I've done as requested and the system has speeded up significantly. The four logs you requested are attached.

    Each new webpage I open has the warning in a yellow box at the bottom ' This webpage wants to run the following add-on 'Control name is not available' from 'Not Available' but otherwise the system seems okay. We keep using the X to close the window and haven't hit the 'allow' or 'allow always' tab.

    I deleted Chrome when all this began but would like to use that as our default browser (using IE now). I understand we will be on IE for the next week or so to be sure all the bugs get worked out.

    So other than the yellow warning box, things seem normal again. Using the IE tools I found that "Not Available" is enabled and it is:
    Name Blog This in Windows Live Writer
    Publisher Not Available
    Status Enabled
    Architecture 32-bit


    Thank you.
     

    Attached Files:

    Last edited: Aug 11, 2015
    nazgurl, Aug 11, 2015
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    This could just be due to some add-on in Internet Explorer. You could try disabling all addons to see. Also run the scan down at the end and we will take an additional look.

    You can discuss non-malware topics in the Software Forum. ;)


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double-click on the OTL icon on your desktopto run it. (Note: if using Vista, Win7 or Win8 use right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.
      Code:
      activex
netsvcs
drives
    • Now click the http://img171.imageshack.us/img171/2405/runscanotl.png button.
    • One report will be created:
      • OTL.txt <-- Will be opened
    • Attach OTL.txt to your next message. (How to attach)
     
    chaslang, Aug 11, 2015
    #7
  8. nazgurl

    nazgurl Private E-2

    I got two reports, OTL.txt and Extras.txt. I've attached them both to this post.
     

    Attached Files:

    nazgurl, Aug 11, 2015
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, Aug 12, 2015
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds