Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virus attack! Can't access Google chrome, pop up ads, etc. [So


  • This topic is locked This topic is locked

#16
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Nearly there m'dear, how is the computer behaving at the moment ?

Download OTL to your Desktop
Secondary link
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

    Posted Image
  • Select All Users
  • Select LOP and Purity
  • Under the Custom Scan box paste this in

    netsvcs
    BASESERVICES
    %SYSTEMDRIVE%\*.exe
    c:\program files (x86)\Google\Desktop
    c:\program files\Google\Desktop
    dir "%systemdrive%\*" /S /A:L /C
    /md5start
    rpcss.dll
    /md5stop
    CREATERESTOREPOINT

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Attach both logs

  • 0

Advertisements


#17
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi, Essexboy from Sunny, warm, Texas:
Thanks SO very much....yes, I hope this is almost over and I owe you my firstborn...LOL.
Hope I did this right.
Beverly G.

Attached Files


  • 0

#18
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Oh, sorry...forgot to answer your question in last post.
Still getting pop up and redirect stuff on the computer and don't have Chrome (still opens "search" tabs), but much faster.
Also, getting pop up window that says "Windows is updating and will restart your computer in [minutes]. Don't know what that's all about, but scares me.
Thanks angain...
Beverly
  • 0

#19
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Good afternoon from a wet, windy and miserable Cornwall :)

The automated tools have now done their job so it is time to clear the rest manually

Also, getting pop up window that says "Windows is updating and will restart your computer in [minutes]. Don't know what that's all about, but scares me.

This may be the legitimate windows update, we will check that later

1. Did you install Barnes & Noble eBooks ?

2. What antivirus programme are you using ?

3. You will need to reset Chrome manually due to the way it is structured... However there is a nice step by step guide here https://support.goog...296214?hl=en-GB

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
    Posted Image
:Commands
[CREATERESTOREPOINT]

:OTL
IE - HKU\S-1-5-21-242505160-1997802447-1459611069-1000\..\SearchScopes\{6EC80DCE-924F-4D21-A6DB-99533CC89F4E}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3315827&CUI=UN14389472257264129&UM=2
IE - HKU\S-1-5-21-242505160-1997802447-1459611069-1000\..\SearchScopes\{AF75D30E-A7A7-402C-8ED6-68D7F6F65EC9}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=100000031&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=TV&apn_dtid=OSJ000YYUS&apn_uid=15E01AFB-2266-4228-BDFC-D1F91918C538&apn_sauid=5120A5AF-01C2-4499-B39E-C2BB7E62D3C2
[2013/04/11 17:14:13 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2013/09/26 10:01:04 | 000,000,000 | ---D | M] ("QuickShare Widget") -- C:\Users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default\extensions\{c9757d0b-0a67-7541-24ed-357408894e07}
[2013/04/11 17:14:12 | 000,000,000 | ---D | M] ("I Want This") -- C:\Users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default\extensions\[email protected]
[2014/02/26 16:40:44 | 000,000,000 | ---D | M] (SavingsBull) -- C:\Users\Beverly\AppData\Roaming\Mozilla\Firefox\Profiles\8ungfprm.default\extensions\[email protected]
[2010/05/21 09:14:51 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2013/04/11 17:13:42 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2013/09/26 09:55:13 | 000,000,000 | ---D | M] (WordOv) -- C:\Program Files (x86)\Mozilla Firefox\extensions\[email protected]
O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-242505160-1997802447-1459611069-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKU\S-1-5-21-242505160-1997802447-1459611069-1000\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-242505160-1997802447-1459611069-1000\..\Toolbar\WebBrowser: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
[2014/03/01 10:38:38 | 000,000,000 | ---D | C] -- C:\30816ea773987a37db
[2014/02/26 16:40:31 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\SavingsBull
[2014/02/24 13:53:45 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Uninstaller
[2014/02/24 13:34:33 | 000,000,000 | ---D | C] -- C:\Users\Beverly\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Weather Alerts
[2014/02/28 19:58:58 | 000,000,422 | ---- | M] () -- C:\Windows\tasks\DriverUpdate Startup.job
[2014/02/28 19:54:42 | 000,000,498 | ---- | M] () -- C:\Windows\tasks\ParetoLogic Update Version3 Startup Task.job
[2014/02/28 18:17:44 | 000,000,468 | ---- | M] () -- C:\Windows\tasks\SparkTrust Registration3.job
[2014/02/26 19:09:02 | 000,001,364 | ---- | M] () -- C:\Users\Beverly\Desktop\SparkTrust PC Cleaner Plus.lnk
[2014/02/26 16:55:06 | 000,000,571 | ---- | M] () -- C:\Users\Beverly\AppData\Roaming\aps.scan.quick.results
[2014/02/26 16:52:03 | 000,000,391 | ---- | M] () -- C:\Users\Beverly\Desktop\FREE Games.url
[2013/01/17 14:27:02 | 000,000,498 | ---- | C] () -- C:\Windows\Tasks\ParetoLogic Update Version3 Startup Task.job
[2013/11/13 09:55:17 | 000,000,422 | ---- | C] () -- C:\Windows\Tasks\DriverUpdate Startup.job
[2014/02/26 19:09:23 | 000,000,468 | ---- | C] () -- C:\Windows\Tasks\SparkTrust Registration3.job

:Files
C:\Users\Beverly\AppData\Local\Google\Chrome\User Data\Default\Extensions\ngaeinfoeljecnggcbonnohnjpepenmb
ipconfig /flushdns /c
ipconfig /release /c
ipconfig /renew /c
netsh winsock reset /c
netsh advfirewall reset /c

:Commands
[resethosts]
[emptytemp]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

  • 0

#20
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi again:
We'll be old friends after this...LOL.
Yes, I did download a B & N ereader ...about when all this started. Bad mistake. Didn't download my book, so went to Amazon instead which worked fine.
Have Symantec and Malwarebytes anti malware, which I'm not diligent about running. What do you recommend and I'll try to be a good girl from now on.
So, attaching the log.
When shall I try the Chrome fix?
Thanks again.
Beverly

Attached Files


  • 0

#21
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That looks much better now :)

Reset Chrome now please and let me know how the computer is behaving once done

The intriguing thing is that I cannot see Symantec running on your computer in fact there is no evidence of an Antivirus at all !

I can initially give you an antivirus to install, if you do not like it we can change it :)

Download Avast Free to your desktop

Run the set up file and select custom install
This page will then be presented


Deselect the ticks from :

Browser Protection
Grime Fighter
Secure Line


Then press continue, and allow it to fully install

Once it has fully installed we will then set it up to a more secure mode for you

Next to the clock will be an orange blob (this is Avast)
Click this and Avast will open

Click the following :

Settings
Active Protection
The little cog next to File System Shield
Then click Sensitivity
Place a tick in the PUP box
Click OK and that page will close
Repeat the process for the Webshield cog to set it there


Posted Image

This will now provide a fairly high degree of protection against the toolbar type rubbish that you had

The next one will be to catch those that are not yet known

Open Avast as before

Click Settings
Click Antivirus
Place a tick in the Hardened mode box and select Aggressive


Posted Image

Then when it encounters a programme that it either does not know or is not sure about you will be given the option to either block it or allow it, by the use of a popup
If you are happy with the programme then click Add An Exclusion

Posted Image

There is a short video here on how to set it up
  • 0

#22
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi,Essexboy:
Well, you've restored my faith in humanity...if not computers!! LOL. Computer is working like an almost new one!
Not sure I installed Avast correctly, but seems to be working. Not all the boxes came up....
Have lots of icons on my desktop, but think I know how to get most of them off.
Oh, is it okay if I run Malwarebytes too as a protective scan?
So, I want to pay you...and think there is a way at the bottom of this thread. Shall I do it that way? Sorry, new to this.
Thank you from the bottom of my heart.
I will be in touch.
Beverly G
  • 0

#23
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Beverly not quite finished yet as we need to tidy up :) Never leave a messy workplace is my motto

Yes run MBAM that will probably get some orphaned registry keys that I missed

When you have run that if you could post the log, and if we are both happy then we will clear my rubbish

Yes your Avast will be slightly different as I am using the internet security version
  • 0

#24
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Ok, Essexboy:
Here is the malware log file.
Whew!!! Gonna need a long massage after these past two days. LOL.
Let me know what next!!!
Appreciate you,
Beverly G.

Attached Files


  • 0

#25
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Excellent :) orphan registry entries and the stuff we have already quarantined

Run MBAM again and delete all it finds

Then..................................................................... Ta Da and drum roll


Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

Posted Image

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

Posted Image

Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:
  • 0

Advertisements


#26
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi, Essexboy:
Thank you, thank you, thank you....I will pay you through paypal. I know you guys are volunteers, but I thank you for your time and efforts.
I will do as recommended....do you recommend a firewall??? Not sure I have one. How do I know?
Also, have many new icons on desktop. How do I minimize the number of them?
Will get back to you in 24 hours and let you know how it's doing.
Thanks from Texas to Cornwall (it's cold here this morning too)
Beverly G.
  • 0

#27
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi Beverly from a wet and windy Cornwall (no change there :rofl: )

If Delfix has not deleted the desktop items then just go ahead and do it manually (they are probably the fix text files ). One thing I forgot to do :blush: was reset the hidden files, to fix that download this small batch file to your desktop

Double click the file, if prompted allow to run
When it has completed (about 1 second) you can delete it from the desktop

With regards to the Firewall .. As you have windows 7 then the built in one has good inbound protection, Avast webshield is a good outbound protector. So that has you covered both ways and, for general use, you are nicely covered and you do not really need a third party one :)

If you have any further problems with either the computer or Avast then just come back and ask either here or the Avast forum where I also help out

Thank you for the donation it is greatly appreciated :cheers:

Hope you enjoyed the massage :)
  • 0

#28
bjgran123

bjgran123

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi Essexboy! This is Tiffany - Bev's daughter again - she called me and needed me to respond to you here. So downloaded that batch file and double clicked it and clicked run and she now has a blank blue screen that only has two things: The THINK logo and the Avast icon. Everything else is gone! Where did it go? She can't right click or anything. There's no start button or anything. She manually restarted the computer and it still looks like this.
  • 0

#29
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you restart in safe mode please and let me know how it is there
  • 0

#30
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Just double checked the batch file and it should not have done that

EDIT : I will stay on this page
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP