[dbreeze]

FYI, we are doing this because the malware you ave run into has changed Chrome from the normal (standard) secure release version to the Developer (open testing) version that is less secure.
 

FIRST >>>>
 
Download the offline installer for Chrome for 64 bit OS from here.
 
SECOND >>>>
 
Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed):

Google Chrome

To do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window.  

Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software.
 
THIRD >>>>
 
Open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

start
CreateRestorePoint:
CloseProcesses:
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: Reg Delete "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Reg: Reg Add "HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg" /F
Hosts:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.  

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

FOURTH >>>>
 
Reinstall Google Chrome using the downloaded file in the first step.
 
Information to Reply with >>>>

• The Fixlog.txt log text.
• How is Chrome?  Any popups, redirects, etc.?
• How is the system running now?

[Advertisements]

Good Morning dbreeze

 

OK deleted Chrome, ran fixlist, re-set up Chrome (I had it ready on a stick this time).

 

Everything looks fine so far. No problems with pop-ups, no unexpected calls for external images etc.  and the cookie setting from a number of sites looks normal.

 

My wife also has internet Explorer on her PC and I wondered what to do about that.  She doesn't use it much but as a precaution I ran ADW Cleaner and it found something called Potatolite attached to IE.

 

This looks like adware from a quick search so I let ADW delete it, but still haven't opened IE.  Should I just make it dormant as I have on my own system?

 

Attached the fixlog as requested.

 

Thanks again.

 

jmg

 

Attached Files

•  Fixlog.txt   1.63KB   217 downloads

[gurgeh]

Good Morning dbreeze

 

OK deleted Chrome, ran fixlist, re-set up Chrome (I had it ready on a stick this time).

 

Everything looks fine so far. No problems with pop-ups, no unexpected calls for external images etc.  and the cookie setting from a number of sites looks normal.

 

My wife also has internet Explorer on her PC and I wondered what to do about that.  She doesn't use it much but as a precaution I ran ADW Cleaner and it found something called Potatolite attached to IE.

 

This looks like adware from a quick search so I let ADW delete it, but still haven't opened IE.  Should I just make it dormant as I have on my own system?

 

Attached the fixlog as requested.

 

Thanks again.

 

jmg

 

Attached Files

•  Fixlog.txt   1.63KB   217 downloads

[dbreeze]

Yes; if you don't use IE that much then make it dormant. 
 

Malwarebytes' Anti-Malware
Please download the latest version of Malwarebytes' Anti-Malware from Here

Double Click on the mbam-setup.exe file to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link
• 
• Once the program has loaded and updated, select "Scan Now >>" to start the scan.
• 
• The scan may take some time to finish, so please be patient.
• If any malware is found, make sure that everything is checked, and click Remove Selected.
• When the scan is complete, click View detailed log >> to view the results.
• 
• The report screen will open
• 
• At the bottom click on Export and select as txt file, save the file to your desktop and click OK.  When the export is complete, select OPEN.
• 
• The log file will be opened in your default text file viewer (usually Notepad); select the whole text (Ctrl + A) and copy (Ctrl + c) it to paste here in a reply.

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

[gurgeh]

Hi dbreeze

 

Report as requested:

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 10/02/2015

Scan Time: 18:24:05

Logfile: Annie Mbam.txt

Administrator: Yes

 

Version: 2.00.4.1028

Malware Database: v2015.02.10.11

Rootkit Database: v2015.02.03.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: anniedog

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 415716

Time Elapsed: 12 min, 29 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Disabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 2

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS|DhcpNameServer, 91.212.124.159 8.8.8.8, Good: (), Bad: (91.212.124.159),Replaced,[577c46d6266481b5f73ce0dcb0556799]

Trojan.DNSChanger, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\Interfaces\{38936D5E-AF80-4F9F-9E9C-F21FA582C303}|DhcpNameServer, 91.212.124.159 8.8.8.8, Good: (), Bad: (91.212.124.159),Replaced,[d1022eee3b4f310548eb8a32ac59728e]

 

Folders: 0

(No malicious items detected)

 

Files: 0

(No malicious items detected)

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

Rgds

 

jmg

[dbreeze]

How is the system running now?

 


This next step may take a while (just to warn you) .....

ESET Online does not work with IE 11 (Internet Explorer) at the moment (a few weeks ago anyway) so if you have IE 11, Chrome or Firefox has to be used instead. ESET Online does work with IE 10 and earlier.

You can leave Norton Enabled even though ESET may warn about it. just makes the scan take longer. The pictures below showing what to click may be blue instead of green on the ESET website now, but the procedure is still the same

Please read carefully and Slowly, Notice all the settings listed below to check before starting the scan. Stop and ask if you have any questions.

Take note of the NO tick in the Remove found threats setting below at it needs to have the tick removed.

-------------------------------------------------------------------------------------------------------------------

Hold down Control key and click on the following link to open ESET OnlineScan in a new window.

Link =>> ESET Online Scanner <<

Click the Run ESET Online Scanner located on the left side of the page (not the free trial).



For browsers other than Internet Explorer only: (Microsoft Internet Explorer users can skip this step)
Click on the esetsmartinstaller link in the popup window that opens. Save it to your desktop.



Double click on the icon on your desktop.



Check (accept) the Terms of Use.



Click the START button.
Accept any security warnings from your browser.

Now in the Computer scan settings window that appears:-
Make sure that the option Enable detection of potentially unwanted applications is selected.
Now click on Advanced Settings and configure the options as follows:

Remove found threats is Not checked
Scan archives is checked
Scan for potentially unsafe applications is checked
Enable Anti-Stealth Technology is checked


Now click on: Start




ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.






When the scan is finished, if any threats are found you will see the screen below. Click to view the found threats.



At the bottom of the listed threats, there is an option to save the results to a text file. Please do this so you can attach the results here for review and removal of the items that are not false positives (these will be scripted out so do not worry).



Once the log text file is saved, return to the Scan Finished screen by clicking "<<Back", then click on the uninstall button and click Finish.



Attach the saved log file in your next reply please. Thanks.

[gurgeh]

Hi dbreeze

 

Mammoth scan of both computers complete.

 

Mine was clean - no threats. My wife's had the quarantined Clickpotato plus another two Hotbar and conduit AL.

 

System is working fine though, my Chrome is noticeably faster.

 

Attached Threat file from the ESET scan on my wife's computer.

 

Best Rgds

 

jmg

 

 

Attached Files

•  threat.txt   1.02KB   227 downloads

[dbreeze]

Thank you for the log and updates.

On your wife's computer, open notepad. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to the desktop as fixlist.txt
 

start
CreateRestorePoint:
CloseProcesses:
C:\Users\anniedog\Downloads\WiseConvert.exe
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST64 by right clicking on the FRST64.exe file, selecting "Run as Administrator..". The User Account Control may open up; if it does, select Yes to continue to let FRST open and load.

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on. Press the Fix button just once and wait. The tool will create a restore point, process the script and ask for a restart of your system.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

[gurgeh]

Hi dbreeze

 

Had a short break for a couple of days, back home now.

 

fixlist run as recommended. fixlog attached

 

Best regards

 

jmg

 

Attached Files

•  Fixlog.txt   748bytes   239 downloads

[dbreeze]

All right!! Your logs are clean and you're good to go now!! We've got some final steps left to do to clean up our tools and get your system in good running condition and then you are on your way. I must say though, even though we met through less than ideal circumstances, it has been really great to work with you. Just run through the steps from the Cleanup of Tools to the Program Update Checker. That's it. Thanks.


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
• Ensure Remove disinfection tools is ticked
  Also tick:
• Create registry backup
• Purge system restore
• Reset system settings
• 
• Click Run
• The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can delete any log files left on your desktop as these are no longer needed.


Keep Windows Updated
Microsoft issues updates to Windows to close vulnerabilities as they are discovered. Staying updated helps protect your system from current exploits.

• Click Start and then click Control Panel.
• Click on the View by: in the upper right corner and select Large Icons (you can change this back later if you like).
• Scroll down and click on Windows Update.
• Click on Change settings.
• Under Important Updates, click on Install updates automatically (recommended).
• Select (click on) the other options on this page.
• Select a day and time to have windows install the updates.
• Click on Ok to change the settings.
• If you want to change the view of the Control Panel display, click on the View by: in the upper right hand corner and select an option you prefer.

Keep other Important Programs Updated
Along with keeping Windows updated, it is a good idea to keep important programs updated. Java and Adobe Reader both need to be kept updated to the latest versions; malware writers utilize exploits in the unpatched versions to their advantages.

Java
Most security experts and the US CERT (part of the US Homeland Security) now recommend that users uninstall Java from their systems; if you don't have any programs that need Java on your system, you are safe to do this. You can read some of the articles on this here and here. I strongly suggest you uninstall Java unless you need it run certain software; in that case I would recommend that you disable or unplug Java from your web browsers and only enable it when you need it.

To disable / unplug Java in your browsers:

• How to disable Java in your web browser
• How to unplug Java from the browser

To uninstall Java (on Win7):

• Click Start and then click Control Panel.
• If you need to, click View by: and select either Large Icons or Small Icons.
• Click on Programs and Features.
• Scroll down until you find Java and click on it to select that program.
• (Older versions of Java may appear in the program list as J2SE, Java 2, Java SE or Java Runtime Environment.)
• Click Uninstall.
• If more than one version of Java shows in your program list, you should repeat the selection and uninstall until all of them are removed.

To check for the latest version of Java and installation steps:

• Go to java.com and click on Do I have Java?.
• On the next page, click on Verify Java Version.
• If you get a security pop up entitled "Do you want to run this application?" with the Name: Java Detection and Publisher: Oracle America, Inc., click Run.
• Follow the recommendations (if any) on the results screen.
• If there is a new version (or none at all on your system), there will be a button on the page showing Agree and Start Free Download. Click on it to update or install Java.
• The site will start a download of jxpiinstall.exe. Save the file to your desktop.
• When the download is finished, close your browser.
• Right click on the jxpiinstall.exe and select Run as Administrator.
• On the opening window, check Change destination folder and then click Install>.
• The program will now download the rest of the files needed to install Java.
• On the Destination Folder window, click Next>.
• On the next window, the install will present you the option of adding additional software (this is known as Foistware).
• Uncheck the Set and keep Ask as my default search provider.
• Uncheck the Install the Ask Toolbar.
• Click Next> to finish the install.
• When the installation is finished, you will be taken to a web page that will check to see if Java is working properly.

Adobe Reader
Adobe Reader is the second most targeted (by malware) common software. If all you ever do with Adobe Reader is view PDF files, then please consider replacing it with a lighter, free PDF reader that is not exploitable. One that we recommend is Sumatra PDF.

To update Adobe Reader:

• Launch your Adobe Reader.
• Click Help and then click on About Adobe Reader from the menu list.
• If the version is 11.0.04 then you are up to date. If it is less than this and you are keeping Adobe Reader, you should update to the latest version.
• The best place to get Adobe Reader is from Adobe (click on Adobe to go there now).
• Click on Download in the menu bar on top of the Adobe web page.
• Click on Adobe Reader in the list on the right hand side of the page.
• On the next page, click on the check mark (to turn it off) beside the option to include the McAfee scanner in the download and install. Make sure the check is NOT marked (this is another example of Foistware).
• Click the Install Now button and follow the directions on next page.
• If you are prompted to Save the installer file, choose to save it to your desktop. Once it is saved, right click on the file and select Run as Administrator.
• When the installation is finished, you can delete the installer file on your desktop.

Consider a program that will check for out-of-date programs on your system
Some programs don't have update checks built in or make you run the application to start the check for updates process. An easier way to stay on top of the current versions of your installed programs is to use a version checking program like Update Checker from FileHippo.com (you can get the software from here and read more about it on the same page).


You are now done!

Now some information on programs to help keep you safe:

First, an Antivirus program. You NEED one; free is just as good as paid-for as long as you keep them updated. ONLY use one at a time as having more than that will cause system problems. Here are some free ones to check out:
Microsoft Security Essentials
Avast! Free Antivirus

Next, a firewall is a must have now-a-days. The built in firewall in Windows 7 is fine (just make sure it is turned on (Start > Control Panel > Windows Firewall)). Or, if you like, you could choose one of the free ones listed here:
Emsisoft Online Armor - installs as trialware which converts to freeware in 30 days
Zone Alarm Free Firewall - installer includes foistware so read the options very carefully

=== options ====
Unchecky is a small service that runs in the background to help keep those "extra toolbars" and tag along search engines from automatically installing. By automatically directing you to a custom install with all the options unchecked, only what you manually choose and confirm gets installed.

CryptoPrevent is a free program that prevents CryptoLocker / ransomware from infecting your PC by locking down the OS so the malware can not get a grip on your system. You can read the details about this program here.

Also, consider adding MalwareBytes Antimalware to your arsenal of safe keeping programs. Use the free version (not the paid or trial version) and you won't have a problem with your antivirus scanner program. Keep it updated and run a scan with it once a week.

Lastly, if you use Firefox as your main web browser, consider adding the NoScript and AdBlockPlus add-ons to the browser to block scripting hijacks and remove unwanted ads from the pages you view.

You may also find some information and tips at this thread:
How did I get infected in the first place?
and
COMPUTER SECURITY - a short quide to staying safer online
 

I'll leave this topic open for a few days so that if you have any questions you can come back here. Surf safe, my friend!!

 

 

 

Please come back and post the Delfix.txt log when you get a chance.  Thanks and surf safely!!

[gurgeh]

Good Morning dbreeze

 

I am afraid we seem to be back to square one. I have the same problem with Chrome on my computer again.

 

On sites that were working fine last week, Chrome is now trying to launch adware - these are blocked but the pages are not resolving fully until timed out.

 

I ran a Malwarebytes scan this morning but it came up clean.

 

I will re-run ESET now.

 

Any thoughts on what to try next?

 

Thanks

 

jmg

[gurgeh]

Hi dbreeze

 

Some further thoughts. I have been micro-managing the plug in and javascript settings to block the calls the virus makes. I then flushed the cookies and cache and seem to have Chrome working normally again.

 

I have also re-set the router one more time but stopped short of a firmware replacement as I know these can be tricky.

 

I will keep a log of sites visited, but it has been very mundane stuff. I either have something deep, it is a site I have trusted or it is the router. Not much scope there!

 

Anything you can suggest in the meantime?

 

jmg

[dbreeze]

Could be Man_In_the_middle DNS problems (wife's MBAM scan found a DNSchanger Trojan).  You might be better with manually setting the DNS for each computer to 8.8.8.8 and 8.8.4.4 (these are Google's Public DNS servers).  You can find directions for this here, if you need them.

[gurgeh]

Hi dbreeze

 

OK checked the router DNS. Set to assign automatically, but when I ran diagnostics didn't get a ping back from server. Set it to manual 8.8.8.8 and 8.8.4.4 and saved. Then set each computer to manual 8.8.8.8 and 8.8.4.4 as well and flushed DNS cache  for each using ipconfig.

 

Anything else I should do or are the computers still clean? ESET found nothing.

 

Thanks again.

 

jmg

[dbreeze]

I would say your systems are still clean.  I can not say I'm impressed with AVG in this case and think that you may be happier with Avast but that is your call.  Let's see what the DNS changes do.

[dbreeze]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.