[frobey]

Hi Joe,

 

Chrome browser still comes up with Tikotin home page even thought the startup page is set to www.google.com

 

There was a message from CHrome saying it had disabled an extension called Krab Web

 

The popups seemed to have stopped so that's a good thing!!

 

Frank

[Advertisements]

Hello Frank,

Lets try resetting chrome,
Please follow these instructions here to reset chrome.

Try that and let me know.

Krab Web is an adware program, that displays pop-up ads and advertisements on web pages that you visit. Thought we removed that.

Thanks
Joe

[zep516]

Hello Frank,

Lets try resetting chrome,
Please follow these instructions here to reset chrome.

Try that and let me know.

Krab Web is an adware program, that displays pop-up ads and advertisements on web pages that you visit. Thought we removed that.

Thanks
Joe

[frobey]

Resetting Chrome seemed to fix that...I also went into extensions and deleted krab web and another one that was in there...

 

PC seems to be working much better....he was also having issues with his Outlook email and that seems to be better as well...

 

YAHOOOOO :-)

 

Anything else I should check? IE seems OK as well...

 

Frank

[zep516]

Yes a bit more to do,

We need to run an Online Scan called ESET. Warning this scan could take a while so run it when your done with the computer for the nite. I'll look at the results and take it from there. Then we will clean up the tools we used and I'll let you go

ESET Online Scanner

Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

• Please go >>HERE<< then click on:
  
  Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on the icon to install.
  
  All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
• Select the option YES, I accept the Terms of Use then click on:
• When prompted allow the Add-On/Active X to install.
• Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology

• Now click on:
• The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed make sure you first copy the logfile located at C:\Program Files (x86)\ESET\Esetonlinescanner\log.txt).
• Copy and paste that log as a reply to this topic.
• Now click on:
  (Selecting Uninstall application on close if you so wish)

Thanks
Joe

[frobey]

Hi Joe,

 

I ran the scanner and it found 19 "Infected files", yet the log file doesn't have much in it

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

 

Before I uninstalled the app I wanted to see if there's another log file I should be sending you...

 

I found this under "List of found threats"

 

C:\AdwCleaner\Quarantine\C\Program Files (x86)\YTDownloader\Updater.exe.vir a variant of Win32/ShopperPro.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\YTDownloader\YTDUninstall.exe.vir Win32/SpeedBit.B.gen potentially unwanted application
C:\FRST\Quarantine\C\Users\bobramsay\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdijnalfcndckfbhkjakjoekpfojjilg\1.0.1_0\background.js Win32/BrowseFox.Q potentially unwanted application
C:\FRST\Quarantine\C\Users\bobramsay\AppData\Local\Google\Chrome\User Data\Default\Extensions\kdijnalfcndckfbhkjakjoekpfojjilg\1.0.1_0\content.js Win32/BrowseFox.Q potentially unwanted application
C:\FRST\Quarantine\C\Users\bobramsay\AppData\Local\Temp\ConsumerInputSetup.exe.xBAD Win32/Compete.A potentially unwanted application
C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe a variant of Win32/HiddenStart.A potentially unsafe application
C:\Program Files (x86)\OpenSoftwareUpdater\spnocrc.exe Win32/Conduit.SearchProtect.N potentially unwanted application
C:\Users\bobramsay\AppData\Local\nshD30D.tmp Win32/AnyProtect.F potentially unwanted application
C:\Users\bobramsay\AppData\Local\nsj92E9.tmp Win32/AnyProtect.F potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\BTOSQF JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\CYHPK JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\HGGI JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\OQERG JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\PDFU JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\bobramsay\AppData\Roaming\QOILJM JS/Toolbar.Crossrider.C potentially unwanted application
C:\Users\Public\Temp\3B1A1F69BCD045A4A0DDC601F9F86B7C\setup.exe multiple threats
C:\Users\Public\Temp\9E17C533813A48EFAAA673829CBA15C6\setup.exe Win32/OutBrowse.AO potentially unwanted application
C:\Users\Public\Temp\BDC1A106813D461C80047C596F453F12\setup.exe a variant of Win64/BrowseFox.AU potentially unwanted application
C:\Users\Public\Temp\CAA429C6F87C4CABB6616999E1D09D43\setup.exe a variant of Win32/Amonetize.BQ potentially unwanted application

 

[zep516]

Hello,

There are some minor things in your online scan that should be removed.

delete files

• Copy all text in the quote box (below)...to Notepad.
  

  @echo off
  rd /s /q "C:\Program Files (x86)\OpenSoftwareUpdater\spnocrc.exe"
  rd /s /q "C:\Users\bobramsay\AppData\Local\nshD30D.tmp"
  rd /s /q "C:\Users\bobramsay\AppData\Local\nsj92E9.tmp"
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\CYHPK JS/Toolbar.Crossrider.C"
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\HGGI JS/Toolbar.Crossrider.C"
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\OQERG JS/Toolbar.Crossrider."
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\PDFU JS/Toolbar.Crossrider.C"
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\QOILJM JS/Toolbar.Crossrider.C"
  rd /s /q "C:\Users\bobramsay\AppData\Roaming\BTOSQF JS/Toolbar.Crossrider.C"
  del %0

• Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
  It should look like this: <--XP<--vista
• Double click on delfile.bat to execute it.
  A black CMD window will flash, then disappear...this is normal.
• The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.

Next

Clean out your temporary internet files and temp files.

Download TFC by OldTimer http://oldtimer.geekstogo.com/TFC.exe to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator
TFC will close all programs when run, so make sure you have saved all your work before you begin.

• Click the Start button to begin the cleaning process.
• Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
• Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

Next remove all our tools an logs

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run.
• The program will run for a few seconds and display a notepad report.
  Paste it for my review.

Post the delfix log in your next reply.

Thanks
Joe

[frobey]

Delfix.txt file

 

# DelFix v10.8 - Logfile created 22/10/2014 at 21:34:57
# Updated 29/07/2014 by Xplode
# Username : bobramsay - WINDOWS-E4ELKUL
# Operating System : Windows 8.1  (64 bits)

~ Removing disinfection tools ...

Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\Users\bobramsay\Desktop\FRST-OlderVersion
Deleted : C:\Users\bobramsay\Desktop\Addition.txt
Deleted : C:\Users\bobramsay\Desktop\AdwCleaner.exe
Deleted : C:\Users\bobramsay\Desktop\Extras.Txt
Deleted : C:\Users\bobramsay\Desktop\Fixlog.txt
Deleted : C:\Users\bobramsay\Desktop\FRST.txt
Deleted : C:\Users\bobramsay\Desktop\FRST64.exe
Deleted : C:\Users\bobramsay\Desktop\JRT.exe
Deleted : C:\Users\bobramsay\Desktop\JRT.txt
Deleted : C:\Users\bobramsay\Desktop\OTL.Txt
Deleted : C:\Users\bobramsay\Desktop\OTL.exe
Deleted : C:\Users\bobramsay\Desktop\Result.txt
Deleted : C:\Users\bobramsay\Desktop\TFC.exe
Deleted : C:\Users\bobramsay\Downloads\adwcleaner_4.000.exe
Deleted : C:\Users\bobramsay\Downloads\JRT.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\AdwCleaner

~ Cleaning system restore ...

Deleted : RP #5 [Scheduled Checkpoint | 10/01/2014 06:24:40]
Deleted : RP #6 [Scheduled Checkpoint | 10/09/2014 12:16:11]
Deleted : RP #7 [Windows Update | 10/15/2014 06:23:35]
Deleted : RP #8 [Windows Update | 10/21/2014 23:20:20]

New restore point created !

~ Resetting system settings ... OK

########## - EOF - ##########

[zep516]

And,

Tell your friend,

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

Safe Computing Practices please read Here

Thanks
Joe

[frobey]

Thanks for all your help!! I'll send him that link, thanks. I'll also be telling him if he does it again he's going to need to figure out how to clean it himself :-)

 

One last question, under the "Action Center" (little flag in the taskbar) there is a message "Click here to enter your most recent password (Important)" is that a bogus alert or something still hiding on the system somewhere?

[frobey]

Was just checking Programs under control panel and the Shopping Helper Smartbar and Shopping Helper Smartbar Engine are still in there, does that matter?

[zep516]

That's a windows 8 issue, it's not Malware. There's some discussion about it on the link below. I did not see a direct solution or the reason it comes up like that.

See Here

Yes. I forgot about Shopping Helper Smartbar and Shopping Helper Smartbar Engine Let me see what we can do there.



Thanks
Joe

[frobey]

Thanks, it is now ignored and has gone away.

[zep516]

What error do you get when you try to uninstall..... Shopping Helper Smartbar and Shopping Helper Smartbar Engine

[frobey]

Same as before, for Shopping helper Smartbar a Windows Installer box pops up that says "The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, etc.)" The source it wants to use is an .msi file that was in a temp directory.

 

Trying to uninstall Shopping Helper Smartbar engine it just briefly flashes and then nothing happens.

 

I found this as a "tip" to get rid of stuck programs like this but editing the registry always makes me cringe :-)

 

http://www.windows-s...emove-programs/

[zep516]

Yes. It's a registry edit. I'm not sending you into the registry. A broken registry is a broken Windows.

Those entries are under this key.

[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Uninstall]
"Shopping Helper Smartbar"
"Shopping Helper Smartbar Engine"

I'll get a fix for you for that. I need to confirm the fix is correct also. I may not get back to you tonite. We may need to redownload OTL. I'll let you know.

Thanks
Joe