[voltrek]

Hi All,

 

Booted up into chrome just to find out I have been infected by some nasty malware/spyware.

 

On the homepage (google.com) everything is fine and no ads are shown. When I go to any other website ads are displayed left/right/top/bottom of the pages. Sometimes a warning pops up as well, which is part of the spyware. Please see the attached screenshot.

 

From that moment I will have ~13 chrome processes running, while having only one tab open.

 

I ran a scan with OTL, if somebody could have a quick look that would be great!! Hope I can get rid of this soon

 

Thanks!!

 

EDIT:

 

- Ran AdwCleaner, also attached

- Then ran JRT, which found some things, logs attached too.

- Afterwards did a FRST scan, log and addition attached.

 

Ads still coming on and processes still there as well

 

 

 OTL.Txt   133.89KB   359 downloads

Attached Files

•  Addition.txt   33.96KB   365 downloads
•  AdwCleanerS0_after_clean.txt   4.25KB   346 downloads
•  FRST.txt   91.8KB   421 downloads
•  JRT.txt   777bytes   293 downloads

Edited by voltrek, 03 September 2014 - 07:19 PM.

[Advertisements]

Hi there this may be a simple fix.. On completion of this run could you let me know if the problem has ceased

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR StartupUrls: Default -> "hxxp://www.google.com.au/", "hxxp://au.search.yahoo.com/?fr=spigot-yhp-gcmac&ilc=12&type=997063"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DE78763E-DA8E-4F0A-A561-7B2B816B2C93} - \WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500 No Task File <==== ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[Essexboy]

Hi there this may be a simple fix.. On completion of this run could you let me know if the problem has ceased

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CHR StartupUrls: Default -> "hxxp://www.google.com.au/", "hxxp://au.search.yahoo.com/?fr=spigot-yhp-gcmac&ilc=12&type=997063"
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
Task: {DE78763E-DA8E-4F0A-A561-7B2B816B2C93} - \WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500 No Task File <==== ATTENTION
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[voltrek]

Hi,

 

Thanks for the reply and the fixlist. I ran it today but unfortunately the ads and warnings are still there ( so are 13 chrome running processes for 1 tab). The multiple chrome processes are there as well.

 

Hope you can help me out further.

 

Thanks,

 

Here is the fixlog.txt:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 07-09-2014 01

Ran by 109041 at 2014-09-08 12:07:20 Run:1

Running from C:\Users\109041\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

CHR StartupUrls: Default -> "hxxp://www.google.com.au/", "hxxp://au.search.yahoo.com/?fr=spigot-yhp-gcmac&ilc=12&type=997063"

CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION

Task: {DE78763E-DA8E-4F0A-A561-7B2B816B2C93} - \WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500 No Task File <==== ATTENTION

EmptyTemp:

CMD: bitsadmin /reset /allusers

*****************

 

Chrome StartupUrls deleted successfully.

"HKLM\SOFTWARE\Policies\Google" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{DE78763E-DA8E-4F0A-A561-7B2B816B2C93}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{DE78763E-DA8E-4F0A-A561-7B2B816B2C93}" => Key deleted successfully.

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WPD\SqmUpload_S-1-5-21-3379002391-4021724616-3906980229-500" => Key deleted successfully.

 

=========  bitsadmin /reset /allusers =========

 

 

BITSADMIN version 3.0 [ 7.5.7601 ]

BITS administration utility.

© Copyright 2000-2006 Microsoft Corp.

 

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.

Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

 

Unable to cancel {AC6EE735-AD27-4652-9F0B-27C63E54C185}.

Unable to cancel {1FEF752E-05D2-4948-8266-01380355BB41}.

Unable to cancel {6BD9C438-29CC-4536-BF2F-B14C6917DFF3}.

Unable to cancel {77936AE0-5036-4801-B7CE-0D3ADCBFB28F}.

Unable to cancel {04BEECCC-C4EE-4ED1-B94A-AB2E4CA0022B}.

Unable to cancel {D96E964B-3AB3-4485-B24D-34E3A0163188}.

Unable to cancel {CE75DA7F-02BF-4379-9CB6-538B094B5D54}.

Unable to cancel {8948E236-F71A-41C8-BD2F-B8CAAE06AE08}.

Unable to cancel {AED9A2A7-2964-497E-986D-F93BED10FAEE}.

Unable to cancel {E1A93E3A-F9E7-4F95-87CF-28F5D1471127}.

Unable to cancel {7A3C09EB-F4E0-4CBB-8C10-FC60800A247F}.

Unable to cancel {2D38442D-634E-43B2-8439-EC84AAD711B0}.

Unable to cancel {F4EA908A-FE4F-4A3E-86FE-B84ED4C1A24A}.

Unable to cancel {E3DC4525-28E8-49AF-8FC0-2FC77DA52196}.

Unable to cancel {5DAA9768-E102-4C70-81B3-3DC1D6ED5B66}.

Unable to cancel {4BE46E4A-FFD1-4946-8F1B-840226E080E8}.

Unable to cancel {BA47AF77-27EA-4FCA-BBA3-E0683098FD79}.

Unable to cancel {6679F98F-7A47-4A29-80A4-AC773A37A247}.

Unable to cancel {CCFA6E04-B4D0-4424-82F2-643FA01C12DC}.

Unable to cancel {58FCA1DB-FFF7-4607-9234-43D2652DE913}.

Unable to cancel {DBB2E1A5-2C29-44FD-BF46-03249E04179F}.

Unable to cancel {51CD498A-7835-418A-89FF-DDC6291A2795}.

Unable to cancel {A3D41547-521B-4C83-B54F-9262F4C4F6E1}.

Unable to cancel {9B095406-5200-4901-A65D-5BCF3E68AD4A}.

Unable to cancel {EF230471-D3CF-472E-B7F0-0CAC8EE4D8FF}.

Unable to cancel {4D37BBCF-31EE-4C6C-938F-4FEDFB6F5529}.

Unable to cancel {301DC668-3899-415E-8126-EF52C25503F8}.

Unable to cancel {B3A05129-32E7-4156-9CFE-2D47410026FC}.

Unable to cancel {A2057CF4-3B6D-45BC-8EE0-84C3F83E8BEA}.

Unable to cancel {3EC7622F-192A-4CDD-87D9-3195CF75D0AC}.

Unable to cancel {9E517A9D-7139-4BC8-BC63-724D92E11683}.

Unable to cancel {5ECA01BD-D36D-484B-A7AB-576C91483C0A}.

Unable to cancel {ED17D132-F266-4951-BEE9-ED8FC965B7BB}.

Unable to cancel {41E7021C-987F-49E3-B8C4-5E1DE3B10634}.

Unable to cancel {A419A8DE-B3C3-473F-B3DE-4E7B129FAB12}.

Unable to cancel {32CFBFDA-90A8-4EB7-889D-AE9897B83788}.

Unable to cancel {8BE4920A-EEDE-4420-8B7D-74DE0E830770}.

Unable to cancel {F4CF46CA-E7B0-4DC5-A5A9-372CE158CB4A}.

Unable to cancel {39A80AAB-E593-4C89-89C6-FA30093CEFEF}.

Unable to cancel {635F12CD-F9B5-4346-BCDA-00CC210DBE08}.

Unable to cancel {BDE3BA7C-7547-4427-A339-B5ECDE2BC2DB}.

Unable to cancel {2EA7FE1B-04D1-4B1A-B6DE-274C21B5C558}.

Unable to cancel {1A7873D7-931A-4051-8B3B-8B102332395F}.

Unable to cancel {43F46356-CB32-4C16-9E5D-7958916726BB}.

Unable to cancel {73BB6EF2-0B7B-40D5-80C8-D677A8911EED}.

Unable to cancel {33E8A3A9-E2F2-4CCB-AF66-90778D297CDE}.

Unable to cancel {C34E48CF-4C78-4392-9E7C-B01D7CFACF1F}.

Unable to cancel {FD866F01-8E90-42EB-9964-6A998FC0CD24}.

Unable to cancel {F2CC34B6-B167-429A-A116-3D017343B54F}.

Unable to cancel {881244DA-A4BC-439E-87D3-FCF7A0DDA83F}.

Unable to cancel {23154BDB-CC48-45B1-A269-16FEE23FDBD0}.

Unable to cancel {A3310E23-4099-41C4-AC9F-F7F4301B8CF4}.

Unable to cancel {7CC9FE99-9651-4C03-8B93-EADC9E74C7AB}.

Unable to cancel {91C8621C-701D-4FA5-B368-9706D5EA6BBF}.

Unable to cancel {046FB2B0-3079-4BD8-B3DF-EB288E271590}.

Unable to cancel {0DD2C924-6243-4641-96EB-CDD4DC1AD590}.

Unable to cancel {FF08E652-D8EC-4598-9AEC-58915E114779}.

Unable to cancel {B20C0085-2CC3-4F35-A41F-FF40E8B8259B}.

Unable to cancel {753CC577-253A-4551-8F0E-EFF94E879B4E}.

Unable to cancel {9A811A6F-D335-4AD0-98FF-42448395FA37}.

Unable to cancel {9BE62AE2-8457-4551-9719-C2B5464A0D51}.

Unable to cancel {C1FFFBBF-3A1C-4636-9DBB-03D0DC17A261}.

Unable to cancel {6753FFDF-517F-4204-A9AF-8391B9E36947}.

Unable to cancel {59658A7A-AE0E-429E-B355-5FE526CD4145}.

Unable to cancel {FDD0BC35-B6B8-424F-B814-512F2053B042}.

Unable to cancel {AFDA3367-82F4-4EFD-BF7E-EEC2289E4ED9}.

Unable to cancel {87D9A8D9-DDE0-4D50-AD88-B6554E2C3D10}.

Unable to cancel {5FAA1E0C-81D8-4060-8407-3A46C29FC6ED}.

Unable to cancel {FB84E80B-DAD5-45E8-86BB-3D6A4A4AD308}.

Unable to cancel {C2BD7893-A519-4015-94FD-D9CB2FF2C729}.

Unable to cancel {BAE711D2-2BD1-4528-8BC8-752682636A95}.

0 out of 71 jobs canceled.

 

========= End of CMD: =========

 

EmptyTemp: => Removed 2.2 GB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog ====

Edited by voltrek, 07 September 2014 - 08:12 PM.

[Essexboy]

OK I think I may have it now

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CHR Extension: (WhatFont) - C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2014-08-15]
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe
Run FRST and press Fix
On completion a log will be generated please post that

[voltrek]

Hi,

 

Thanks again for your efforts, I did not see the reply until now and ran the fixlist.txt.

 

Unfortunately the adds are still there and so are the multiple chrome processes.

 

Hope you'll give it another shot

 

Here's the fixlog.txt:

 

------

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 10-09-2014

Ran by 109041 at 2014-09-12 15:27:22 Run:2

Running from C:\Users\109041\Desktop

Boot Mode: Normal

==============================================

 

Content of fixlist:

*****************

CHR Extension: (WhatFont) - C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm [2014-08-15]

EmptyTemp:

CMD: bitsadmin /reset /allusers

*****************

 

C:\Users\109041\AppData\Local\Google\Chrome\User Data\Default\Extensions\jabopobgcpjmedljpbcaablpmlmfcogm => Moved successfully.

 

=========  bitsadmin /reset /allusers =========

 

 

BITSADMIN version 3.0 [ 7.5.7601 ]

BITS administration utility.

© Copyright 2000-2006 Microsoft Corp.

 

BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows.

Administrative tools for the BITS service are now provided by BITS PowerShell cmdlets.

 

0 out of 0 jobs canceled.

 

========= End of CMD: =========

 

EmptyTemp: => Removed 57.9 MB temporary data.

 

 

The system needed a reboot. 

 

==== End of Fixlog ====

[Essexboy]

Could you run Chrome in incognito mode please and let me know if the ads still appear https://support.goog...me/answer/95464

[voltrek]

Will do when I get the chance and will post back, thanks!

[voltrek]

Hi, 

 

Just checked it now and it does not seem to happen when in incognito mode. Hope it tells you what you need to know

 

Freek

[Essexboy]

Yes, it tells me that one of your legitimate extensions has been corrupted

What we can do is reset Chrome. This does mean you will have to reinstall any important extensions that you need

Please follow the steps here https://support.goog...296214?hl=en-GB and let me know the result

[voltrek]

Hi,

 

Sorry for such a delay. I've resetted Chrome and it seems to be gone, thank you!!

 

F

[Essexboy]

Any further problems before I tidy up ?

[Essexboy]

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset System Restore points:

Download and run Delfix



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean


It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe

[Essexboy]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.