Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Chrome hijacked -- Avast blocking constant harmful webpages/files [Clo


  • This topic is locked This topic is locked

#31
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

I just rebooted and tried to have virustotal.com run on the hiberfil.sys file, but this time it said that the file wasn't found.  When I rebooted, the "Logging off" process seemed to take longer than normal (to the point where I grew a bit concerned), so perhaps it had grown huge and was being deleted in the reboot?

 

And yes, she does use the hibernate feature, so I'd like to turn that back on before I leave town if possible. 


  • 0

Advertisements


#32
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

Hi Julie, 
 
The command I had you run disabled hibernation (hence why Hiberfil.sys could not be found). Do the following to re-enable the hibernation. This will re-create the Hiberfil.sys file. 

 

  • Click the Windows Start button, type CMD in the search bar, right-click CMD.exe and click Run as administrator
  • Type powercfg.exe -h on and press the Enter key.
  • Reboot your computer.

 

When you get back, I'd like you to rerun the avast! bootscan, and tell me if avast! is still detecting Hiberfil.sys as infected. 

From here, we will proceed by confirming the machine appears from malware, and work on troubleshooting why items are missing from your Programmes list. 


  • 0

#33
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Hi, Adam --

 

I'm heading out now, and since the Avast boot scan takes over two hours and might ask questions she doesn't want to deal with (and she may need her computer), I'll hold off on running it until I know that it won't inconvenience her. 

 

I have turned hibernation back on per your instructions above so that things aren't different for her; however, out of curiosity, I took a look at hiberfil.sys to see if it had been recreated, and I would guess from the size (over 2gb!) that it didn't actually get deleted and recreated, that it just was deactivated somehow.  When I rebooted, I used the "Restart" option rather than shutting all of the way down.  Might that cuase different behavior vis-a-vis the hiberfil.sys file? 

 

Also, just for our mutual reference, I also reset the three Folder Options items back to where they were (hidden files not show, extensions/system files hidden).

 

I hope to be able to get back tomorrow, but am unsure of what her schedule is and she's left to run a couple of errands so I'm unable to ask her.


  • 0

#34
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

Hi Julie, 
 
It is not uncommon to see hiberfil.sys occupy 10GB, let alone 2GB. 
 

When I rebooted, I used the "Restart" option rather than shutting all of the way down.  Might that cuase different behavior vis-a-vis the hiberfil.sys file?

I very much doubt it. We'll see what the avast scan shows when you return, and go from there. 
 

Also, just for our mutual reference, I also reset the three Folder Options items back to where they were (hidden files not show, extensions/system files hidden).

No problem.


  • 0

#35
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Hi, Adam --

 

I ran the Avast! boot scan today.  I waited until it was well underway, then left (as did my friend).  When she returned, it had rebooted to her desktop, and there were no messages (the last time, when it hit a questionable file, it prompted for the action).  I wasn't able to go over there to confirm that the log was clean, but I would think that if it hadn't been, it would have alerted us.

 

I don't believe I'll be able to get back over there until mid-week next week, but am happy in the interim that the Chrome issue seems resolved. 


  • 0

#36
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

OK, no problem Julie. 

 

Let me know if avast! reports anything, and we'll go from there. 


  • 0

#37
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Here's the report from the last boot scan:

 

09/17/2014 09:58
Scan of all local drives

File C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Chromatic Browser\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Administrator\AppData\Local\torch\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Chromatic Browser\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Guest\AppData\Local\torch\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Jared\AppData\Local\Chromatic Browser\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Jared\AppData\Local\Google\Chrome\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\AdwCleaner\Quarantine\C\Users\Jared\AppData\Local\torch\User Data\Default\Extensions\bnikeiojbjdofcodaalokeckinpmghhl\2.0\xANb4ym.js.vir is infected by JS:SaveByClick-B [Adw], Moved to chest
File C:\hiberfil.sys is infected by Win32:Kryptik-MTS [Trj], Move to chest: Error 0xC000007F {An operation failed because the disk was full.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Move to chest: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}, Delete: Error 0xC0000043 {A file cannot be opened because the share access flags are incompatible.}
File C:\Program Files\Online Services\MSN90\msnsusii.exe|>ccclient.exe|>cc.exe is infected by Win32:Dropper-gen [Drp], Moved to chest
File C:\Program Files\Online Services\MSN90\pkgs\en\us\ms\msnsusii.exe|>ccclient.exe|>cc.exe is infected by Win32:Dropper-gen [Drp], Moved to chest
Number of searched folders: 27414
Number of tested files: 1124716
Number of infected files: 12

----------------------------------------
09/18/2014 10:00
Scan of all local drives

Number of searched folders: 27448
Number of tested files: 1125803
Number of infected files: 0


  • 0

#38
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts
Hi Julie,

That looks like the scan log for the first boot time scan.

What about the second scan after disabling and re-enabling hibernation?
  • 0

#39
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Huh.  You're right.  But I believe that was the only likely-looking file in the ProgramData\Avast\Reports folder.  I'll double-check, but unfortunately she's left for the day so I'm not sure when I'm going to be able to do so.  :P


  • 0

#40
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

Hi Julie, 

 

No problem. Have a look when you get the chance, and let me know. 


  • 0

Advertisements


#41
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Okay, I see what happened -- it appended the 9/18 scan onto the 9/17 file, so the 9/18 scan was there, it was just a bit buried at the end.  Here's the text just from 9/18:

 

----------------------------------------
09/18/2014 10:00
Scan of all local drives

Number of searched folders: 27448
Number of tested files: 1125803
Number of infected files: 0


  • 0

#42
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

Oh yes, I see. Good spot. 

 

As it's been a while, please provide an updated list on the current issues the machine is experiencing. 


  • 0

#43
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

At this point, the only issue is that when  you go to Add/Remove programs in Control Panel (or ccleaner), the list is incomplete.  Malwarebytes isn't there, nor is Avast, nor ccleaner itself.  Probably a few others as well.  


  • 0

#44
LiquidTension

LiquidTension

    Expert

  • Expert
  • 1,151 posts

Hello Julie, 
 
Please run the following, and let me know how you get on. 
 
SvSrl2h.png Windows Repair (All-in-One)

  • Please download Windows Repair and save the file to your Desktop.
  • Right-Click Windows Repair and select AVOiBNU.jpg Run as administrator to run the programme.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Follow the prompts by clicking Next, and finally, Finish.
  • Go to Step 2. Under See If Disc Check Is Needed, click Check.
  • If you receive the following message: Errors Found On The Drive! Check Disk Is Needed!, click Do It in the Check Disk (If Needed) box.
  • Upon completion, go to Step 3. Click Do It under System File Check.
  • Go to Step 4 and click Create under System Restore, followed by Backup under Registry Backup.
  • Go to Start Repairs and click Start.
  • Click Select All, followed by Start.
  • Note: Do NOT use your computer whilst the programme is running. 
  • Upon completion, re-enable your Anti-Virus and reboot your computer. 
  • Using Windows Explorer, navigate to the following folder:
    • 64-bit Systems: C:\Program Files (x86)\Tweaking.com\Windows Repair (All in One)\Logs 
    • 32-bit Systems: C:\Program Files\Tweaking.com\Windows Repair (All in One)\Logs
  • Open the log. Copy the contents and paste in your next reply.

  • 0

#45
Twins_1997

Twins_1997

    Member

  • Topic Starter
  • Member
  • PipPip
  • 58 posts

Thanks.  Hopefully I'll be able to do this on Wednesday morning.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP