Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Chrome ad/malware [Solved]

Chrome Malware spyware ads

  • This topic is locked This topic is locked

#1
voltrek

voltrek

    New Member

  • Member
  • Pip
  • 6 posts

Hi All,

 

Booted up into chrome just to find out I have been infected by some nasty malware/spyware.

 

On the homepage (google.com) everything is fine and no ads are shown. When I go to any other website ads are displayed left/right/top/bottom of the pages. Sometimes a warning pops up as well, which is part of the spyware. Please see the attached screenshot.

 

From that moment I will have ~13 chrome processes running, while having only one tab open.

 

I ran a scan with OTL, if somebody could have a quick look that would be great!! Hope I can get rid of this soon :)

 

Thanks!!

 

EDIT:

 

- Ran AdwCleaner, also attached

- Then ran JRT, which found some things, logs attached too.

- Afterwards did a FRST scan, log and addition attached.

 

Ads still coming on and processes still there as well :(

 

 

Chromeads.jpg

Attached File  OTL.Txt   133.89KB   263 downloads

Attached Files


Edited by voltrek, 03 September 2014 - 07:19 PM.

  • 0

Advertisements


#2
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi there this may be a simple fix.. On completion of this run could you let me know if the problem has ceased

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR StartupUrls: Default -> "hxxp://www.google.com.au/", "hxxp://au.search.yahoo.com/?fr=spigot-yhp-gcmac&ilc=12&type=997063"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DE78763E-DA8E-4F0A-A561-7B2B816B2C93} - \WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500 No Task File <==== ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

#3
voltrek

voltrek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi,

 

Thanks for the reply and the fixlist. I ran it today but unfortunately the ads and warnings are still there ( so are 13 chrome running processes for 1 tab). The multiple chrome processes are there as well.

 

Hope you can help me out further.

 

Thanks,

 

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-09-2014 01
Ran by 109041 at 2014-09-08 12:07:20 Run:1
Running from C:\Users\109041\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CHR StartupUrls: Default -> "hxxp://www.google.com.au/", "hxxp://au.search.yahoo.com/?fr=spigot-yhp-gcmac&ilc=12&type=997063"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DE78763E-DA8E-4F0A-A561-7B2B816B2C93} - \WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500 No Task File <==== ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************
 
Chrome StartupUrls deleted successfully.
"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DE78763E-DA8E-4F0A-A561-7B2B816B2C93}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DE78763E-DA8E-4F0A-A561-7B2B816B2C93}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500" => Key deleted successfully.
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
Unable to cancel {AC6EE735-AD27-4652-9F0B-27C63E54C185}.
Unable to cancel {1FEF752E-05D2-4948-8266-01380355BB41}.
Unable to cancel {6BD9C438-29CC-4536-BF2F-B14C6917DFF3}.
Unable to cancel {77936AE0-5036-4801-B7CE-0D3ADCBFB28F}.
Unable to cancel {04BEECCC-C4EE-4ED1-B94A-AB2E4CA0022B}.
Unable to cancel {D96E964B-3AB3-4485-B24D-34E3A0163188}.
Unable to cancel {CE75DA7F-02BF-4379-9CB6-538B094B5D54}.
Unable to cancel {8948E236-F71A-41C8-BD2F-B8CAAE06AE08}.
Unable to cancel {AED9A2A7-2964-497E-986D-F93BED10FAEE}.
Unable to cancel {E1A93E3A-F9E7-4F95-87CF-28F5D1471127}.
Unable to cancel {7A3C09EB-F4E0-4CBB-8C10-FC60800A247F}.
Unable to cancel {2D38442D-634E-43B2-8439-EC84AAD711B0}.
Unable to cancel {F4EA908A-FE4F-4A3E-86FE-B84ED4C1A24A}.
Unable to cancel {E3DC4525-28E8-49AF-8FC0-2FC77DA52196}.
Unable to cancel {5DAA9768-E102-4C70-81B3-3DC1D6ED5B66}.
Unable to cancel {4BE46E4A-FFD1-4946-8F1B-840226E080E8}.
Unable to cancel {BA47AF77-27EA-4FCA-BBA3-E0683098FD79}.
Unable to cancel {6679F98F-7A47-4A29-80A4-AC773A37A247}.
Unable to cancel {CCFA6E04-B4D0-4424-82F2-643FA01C12DC}.
Unable to cancel {58FCA1DB-FFF7-4607-9234-43D2652DE913}.
Unable to cancel {DBB2E1A5-2C29-44FD-BF46-03249E04179F}.
Unable to cancel {51CD498A-7835-418A-89FF-DDC6291A2795}.
Unable to cancel {A3D41547-521B-4C83-B54F-9262F4C4F6E1}.
Unable to cancel {9B095406-5200-4901-A65D-5BCF3E68AD4A}.
Unable to cancel {EF230471-D3CF-472E-B7F0-0CAC8EE4D8FF}.
Unable to cancel {4D37BBCF-31EE-4C6C-938F-4FEDFB6F5529}.
Unable to cancel {301DC668-3899-415E-8126-EF52C25503F8}.
Unable to cancel {B3A05129-32E7-4156-9CFE-2D47410026FC}.
Unable to cancel {A2057CF4-3B6D-45BC-8EE0-84C3F83E8BEA}.
Unable to cancel {3EC7622F-192A-4CDD-87D9-3195CF75D0AC}.
Unable to cancel {9E517A9D-7139-4BC8-BC63-724D92E11683}.
Unable to cancel {5ECA01BD-D36D-484B-A7AB-576C91483C0A}.
Unable to cancel {ED17D132-F266-4951-BEE9-ED8FC965B7BB}.
Unable to cancel {41E7021C-987F-49E3-B8C4-5E1DE3B10634}.
Unable to cancel {A419A8DE-B3C3-473F-B3DE-4E7B129FAB12}.
Unable to cancel {32CFBFDA-90A8-4EB7-889D-AE9897B83788}.
Unable to cancel {8BE4920A-EEDE-4420-8B7D-74DE0E830770}.
Unable to cancel {F4CF46CA-E7B0-4DC5-A5A9-372CE158CB4A}.
Unable to cancel {39A80AAB-E593-4C89-89C6-FA30093CEFEF}.
Unable to cancel {635F12CD-F9B5-4346-BCDA-00CC210DBE08}.
Unable to cancel {BDE3BA7C-7547-4427-A339-B5ECDE2BC2DB}.
Unable to cancel {2EA7FE1B-04D1-4B1A-B6DE-274C21B5C558}.
Unable to cancel {1A7873D7-931A-4051-8B3B-8B102332395F}.
Unable to cancel {43F46356-CB32-4C16-9E5D-7958916726BB}.
Unable to cancel {73BB6EF2-0B7B-40D5-80C8-D677A8911EED}.
Unable to cancel {33E8A3A9-E2F2-4CCB-AF66-90778D297CDE}.
Unable to cancel {C34E48CF-4C78-4392-9E7C-B01D7CFACF1F}.
Unable to cancel {FD866F01-8E90-42EB-9964-6A998FC0CD24}.
Unable to cancel {F2CC34B6-B167-429A-A116-3D017343B54F}.
Unable to cancel {881244DA-A4BC-439E-87D3-FCF7A0DDA83F}.
Unable to cancel {23154BDB-CC48-45B1-A269-16FEE23FDBD0}.
Unable to cancel {A3310E23-4099-41C4-AC9F-F7F4301B8CF4}.
Unable to cancel {7CC9FE99-9651-4C03-8B93-EADC9E74C7AB}.
Unable to cancel {91C8621C-701D-4FA5-B368-9706D5EA6BBF}.
Unable to cancel {046FB2B0-3079-4BD8-B3DF-EB288E271590}.
Unable to cancel {0DD2C924-6243-4641-96EB-CDD4DC1AD590}.
Unable to cancel {FF08E652-D8EC-4598-9AEC-58915E114779}.
Unable to cancel {B20C0085-2CC3-4F35-A41F-FF40E8B8259B}.
Unable to cancel {753CC577-253A-4551-8F0E-EFF94E879B4E}.
Unable to cancel {9A811A6F-D335-4AD0-98FF-42448395FA37}.
Unable to cancel {9BE62AE2-8457-4551-9719-C2B5464A0D51}.
Unable to cancel {C1FFFBBF-3A1C-4636-9DBB-03D0DC17A261}.
Unable to cancel {6753FFDF-517F-4204-A9AF-8391B9E36947}.
Unable to cancel {59658A7A-AE0E-429E-B355-5FE526CD4145}.
Unable to cancel {FDD0BC35-B6B8-424F-B814-512F2053B042}.
Unable to cancel {AFDA3367-82F4-4EFD-BF7E-EEC2289E4ED9}.
Unable to cancel {87D9A8D9-DDE0-4D50-AD88-B6554E2C3D10}.
Unable to cancel {5FAA1E0C-81D8-4060-8407-3A46C29FC6ED}.
Unable to cancel {FB84E80B-DAD5-45E8-86BB-3D6A4A4AD308}.
Unable to cancel {C2BD7893-A519-4015-94FD-D9CB2FF2C729}.
Unable to cancel {BAE711D2-2BD1-4528-8BC8-752682636A95}.
0 out of 71 jobs canceled.
 
========= End of CMD: =========
 
EmptyTemp: => Removed 2.2 GB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====

Edited by voltrek, 07 September 2014 - 08:12 PM.

  • 0

#4
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK I think I may have it now

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CHR Extension: (WhatFont) - C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2014-08-15]
EmptyTemp:
CMD: bitsadmin /reset /allusers


Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that
  • 0

#5
voltrek

voltrek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi,

 

Thanks again for your efforts, I did not see the reply until now and ran the fixlist.txt.

 

Unfortunately the adds are still there and so are the multiple chrome processes.

 

Hope you'll give it another shot :)

 

Here's the fixlog.txt:

 

------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-09-2014
Ran by 109041 at 2014-09-12 15:27:22 Run:2
Running from C:\Users\109041\Desktop
Boot Mode: Normal
==============================================
 
Content of fixlist:
*****************
CHR Extension: (WhatFont) - C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2014-08-15]
EmptyTemp:
CMD: bitsadmin /reset /allusers
*****************
 
C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm => Moved successfully.
 
=========  bitsadmin /reset /allusers =========
 
 
BITSADMIN version 3.0 [ 7.5.7601 ]
BITS administration utility.
© Copyright 2000-2006 Microsoft Corp.
 
BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.
Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.
 
0 out of 0 jobs canceled.
 
========= End of CMD: =========
 
EmptyTemp: => Removed 57.9 MB temporary data.
 
 
The system needed a reboot. 
 
==== End of Fixlog ====

  • 0

#6
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Could you run Chrome in incognito mode please and let me know if the ads still appear https://support.goog...me/answer/95464
  • 0

#7
voltrek

voltrek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Will do when I get the chance and will post back, thanks!


  • 0

#8
voltrek

voltrek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi, 

 

Just checked it now and it does not seem to happen when in incognito mode. Hope it tells you what you need to know :)

 

Freek


  • 0

#9
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Yes, it tells me that one of your legitimate extensions has been corrupted

What we can do is reset Chrome. This does mean you will have to reinstall any important extensions that you need

Please follow the steps here https://support.goog...296214?hl=en-GB and let me know the result
  • 0

#10
voltrek

voltrek

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Hi,

 

Sorry for such a delay. I've resetted Chrome and it seems to be gone, thank you!!

 

F


  • 0

#11
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Any further problems before I tidy up ?
  • 0

#12
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Subject to no further problems :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix

delfix.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

CryptoPrevent.JPG

Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe :wave:
  • 0

#13
Essexboy

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics


Also tagged with one or more of these keywords: Chrome, Malware, spyware, ads

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP