Uninvited extensions attack, again...

Discussion in 'Malware Help (A Specialist Will Reply)' started by 2Aurs, Oct 22, 2013.

  1. 2Aurs

    2Aurs Private E-2

    Yesterday

    I was using Google Chrome yesterday, and I switched to another Chrome profile and received a notice from Chrome that Slick Savings was installed. I uninstalled it and went through READ & RUN.

    Two Months Ago
    This started two months ago, across multiple browsers.
    -Ebay shopping assistant by Spigot
    -Domain error assistant
    -Slick Savings
    -Amazon Shopping Assistant by Spigot

    I installed some video or audio conversion software at the time, and since I was in a rush I wasn't careful enough with what I downloaded and installed. I don't remember the name of that software now, but I uninstalled it.

    I ran malware removal instructions, according to advice from a different forum. I ran Junkware Removal Tool, AdwCleaner, RKill, TDSKiller, ComboFix (which didn't run perfectly), Malwarebytes, and Spybot S&D. I have some of those old logs, if that helps. When I was done running those tools two months ago, the problems seemed to be gone. Until yesterday.

    Now
    The logs seem to indicate there is still garbage in my computer, so if that is true I would really like to have this completely cleaned, and your help is greatly appreciated. I don't have TDSKiller log attached, because I can't see where I saved it, but it didn't find anything anyway.

    Thanks!
     

    Attached Files:

    2Aurs, Oct 22, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Your logs do not show that much to do. Just some minor cleanup.
    Do you know what the below startup batch file program is for?
    O4 - Startup: startnet.bat

    Uninstall the below program. If you do not find it or it will not uninstall, just keep going.
    NewTabs Uninstall

    Please download OTM by Old Timer and save it to your Desktop.
    • Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
explorer.exe

:Files
C:\Users\nbojda\AppData\Local\Temp\*.*
:Reg
[-HKEY_USERS\.DEFAULT\Software\Ask.com]
[-HKEY_USERS\.DEFAULT\Software\AskToolbar]
[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}]
[-HKEY_USERS\S-1-5-18\Software\Ask.com]
[-HKEY_USERS\S-1-5-18\Software\AskToolbar]
[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A5AA24EA-11B8-4113-95AE-9ED71DEAF12A}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DC6CB751-57A3-4664-A5B7-3C498DA1E582}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NewTabs]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\NewTabs]
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Let's download and use the current version of JRT. Please do not download tools to the C:\Users\nbojda\Desktop\Spyware Cleanup folder. Download them where specified which is typically directly on the Desktop and not in a folder on the Desktop.

    Now please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • the JRT.TXTlog
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 23, 2013
    #2
  3. 2Aurs

    2Aurs Private E-2

    Thanks for the quick reply!

    Tried uninstalling NewTabs from Control Panel, didn't work.

    Your link to OTM is blocked by Sophos, indicating that 'Mal/HTMLGen-A' was found on that site. I did download the file from the link on http://www.geekstogo.com/forum/topic/277391-otl-tutorial-how-to-use-oldtimer-listit/
    and it is version 3.2.69 and it has no yellow bar or 'Paste List of Files/Folders to Move'

    I'll wait for your recommendation before taking any further actions.

    Thanks again.
     

    Attached Files:

    2Aurs, Oct 23, 2013
    #3
  4. 2Aurs

    2Aurs Private E-2

    Ignore this for the moment. I obviously used OTL instead of OTM...

     
    2Aurs, Oct 23, 2013
    #4
  5. 2Aurs

    2Aurs Private E-2

    Yeah, I just can't download OTM because Sophos stops it, and I can't turn off Sophos. But looks like I can manually remove those registry keys, and clean the temp folder. Not sure what 'Purity' does. Ok to just do it manually?

     
    2Aurs, Oct 23, 2013
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to disable your protection software in cases like this. It is not malware.
     
    chaslang, Oct 24, 2013
    #6
  7. 2Aurs

    2Aurs Private E-2

    Understood. I do not have the ability to turn off this protection software at this time (stuck between a rock and a hard place, just need to clean this computer as best I can). I understand this isn't ideal. It looks like I need to remove those keys, but first clean the temp files, then run JRT and Getlogs.bat. That would be assuming the purity command doesn't do anything special... what does it do?

    Greatly Appreciated!
     
    2Aurs, Oct 24, 2013
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why not?

    Alternative to try is to download OTM on a USB drive with another PC. The boot your PC in safe boot mode. Plug in the USB and hope it is accessible. If so, run the fix.
     
    chaslang, Oct 24, 2013
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds