[tsmonk]

I accidentally picked up the "Sale Pluuss" extension when I inadvertently clicked on Easy Downloader on a web site.  I removed the extension from Chrome, deleted the program with Revo and did a scan with Malwarebytes that found a bunch of stuff. Ran Adwcleaner as well.  I thought I was clean but every time I open Chrome, I am prompted that I am in Developer Mode and the Sale Pluuss extension is back and enabled. How can I get rid this extension permanently? Oh yeah, I ran the FRST64 as well so I have that log.

 

Addendum: After posting, I went back to Chrome Extensions and saw the notation that it was loaded from C:\ProgramData\nfibchpbeeplaeglabjalglihopjkpnf\. I deleted that folder and the Sale Pluuss extension has not returned. I hope that settles the issue.

Edited by tsmonk, 18 April 2015 - 04:25 AM.

[Advertisements]

Hi, as Chrome is in developer mod that is one thing you do not want

Re-install Chrome
Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.
1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome. Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

[Essexboy]

Hi, as Chrome is in developer mod that is one thing you do not want

Re-install Chrome
Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.
1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome. Note: When asked about user data or settings you must remove this also so please check the box.
5. Restart the computer and reinstall chrome, You can download The latest version from here - Google Chrome
6. Import your bookmarks back into Chrome
7. Sign back in to your Chrome browser so that your bookmarks sync with your online account.

[tsmonk]

Thanks for responding. I uninstalled Chrome with Revo but it is still on my computer in the start menu. It does not appear in Revo or Windows Programs and Features. Bookmarks are there but there is no sync data. Incidentally, I was not asked about user data, no box to check. There is also this message in settings.

 

Chrome detected that some of your settings were corrupted by another program and reset them to their original defaults. Learn more

 

So how do I get it uninstalled?

[Essexboy]

If you run FRST for me I will remove any remnants that I can see

Please download Farbar Recovery Scan Tool and save it to your Desktop.

Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

• Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
• Select additions at the bottom
• Press Scan button.
  
• It will produce a log called FRST.txt in the same directory the tool is run from.
• Please attach both logs generated.

[tsmonk]

Here is the scan log

 FRST.txt   62.06KB   180 downloads

 

Oops. Wrong log. That was one I ran last night. Here is todays.

 

 

 

 

 

 

 

 

 

Attached Files

•  FRST.txt   62.06KB   155 downloads

Edited by tsmonk, 19 April 2015 - 01:57 PM.

[Essexboy]

Chrome was still running. You may need to remove the start menu manually

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
HKU\S-1-5-21-1853225634-1185179328-766844407-1000\...\Run: [Google Update] => C:\Users\Jim\AppData\Local\Google\Update\GoogleUpdate.exe [116648 2012-12-01] (Google Inc.)
AppInit_DLLs: C:\Windows\katrack.dll => C:\Windows\katrack.dll File Not Found
AppInit_DLLs: KATRACK.DLL => KATRACK.DLL File Not Found
AppInit_DLLs: C:\Windows\katrack.dll => C:\Windows\katrack.dll File Not Found
AppInit_DLLs: C:\Windows\katrack.dll => C:\Windows\katrack.dll File Not Found
AppInit_DLLs: C:\Windows\katrk64.dll => C:\Windows\katrk64.dll File Not Found
AppInit_DLLs: KATRK64.DLL => KATRK64.DLL File Not Found
AppInit_DLLs-x32: C:\Windows\katrack.dll => "C:\Windows\katrack.dll" File Not Found
AppInit_DLLs-x32: C:\Windows\katrack.dll => "C:\Windows\katrack.dll" File Not Found
AppInit_DLLs-x32: C:\Windows\katrack.dll => "C:\Windows\katrack.dll" File Not Found
AppInit_DLLs-x32: KATRACK.DLL => "KATRACK.DLL" File Not Found
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-1853225634-1185179328-766844407-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
Toolbar: HKU\S-1-5-21-1853225634-1185179328-766844407-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-03] (Google Inc.)
FF Plugin HKU\S-1-5-21-1853225634-1185179328-766844407-1000: @tools.google.com/Google Update;version=3 -> C:\Users\Jim\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
FF Plugin HKU\S-1-5-21-1853225634-1185179328-766844407-1000: @tools.google.com/Google Update;version=9 -> C:\Users\Jim\AppData\Local\Google\Update\1.3.26.9\npGoogleUpdate3.dll [2015-02-04] (Google Inc.)
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "https://www.google.com/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Widevine Content Decryption Module) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.5.669\_platform_specific\win_x86\widevinecdmadapter.dll No File
CHR Plugin: (Shockwave Flash) - C:\Users\Jim\AppData\Local\Google\Chrome\Application\42.0.2311.90\PepperFlash\pepflashplayer.dll ()
CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Users\Jim\AppData\Local\Google\Chrome\Application\42.0.2311.90\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Users\Jim\AppData\Local\Google\Chrome\Application\42.0.2311.90\pdf.dll No File
CHR Plugin: (Adobe Create PDF) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj\11.0.7.52_0\plugin/npWCChromeExtnStub.dll No File
CHR Plugin: (AdobeAAMDetect) - C:\Program Files (x86)\Adobe\Adobe Creative Cloud\Utils\npAdobeAAMDetect32.dll (Adobe Systems)
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files (x86)\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101721.dll (Amazon.com, Inc.)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll No File
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIIPT.dll (Intel Corporation)
CHR Plugin: (Intel® Identity Protection Technology) - C:\Program Files (x86)\Intel\Intel® Management Engine Components\IPT\npIntelWebAPIUpdater.dll (Intel Corporation)
CHR Plugin: (Java Deployment Toolkit 7.0.670.1) - C:\Program Files (x86)\Java\jre7\bin\dtplugin\npDeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 7 U67) - C:\Program Files (x86)\Java\jre7\bin\plugin2\npjp2.dll No File
CHR Plugin: (Silverlight Plug-In) - C:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
CHR Plugin: ( Wacom Dynamic Link Library) - C:\Program Files (x86)\TabletPlugins\npwacom.dll (Wacom, Inc.)
CHR Plugin: (iTunes Application Detector) - C:\Program Files (x86)\iTunes\Mozilla Plugins\npitunes.dll ()
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\Office15\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2013) - C:\Program Files\Microsoft Office 15\root\VFS\ProgramFilesX86\Mozilla Firefox\plugins\npmeetingjoinpluginoc.dll (Microsoft Corporation)
CHR Plugin: (Google Update) - C:\Users\Jim\AppData\Local\Google\Update\1.3.24.15\npGoogleUpdate3.dll No File
CHR Profile: C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Adblock Plus) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2013-09-25]
CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2014-03-28]
CHR Extension: (Blur) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\epanfjkfahimkgomnigadpkobaefekcd [2014-11-18]
CHR Extension: (Dashlane) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\fdjamakpfbbddfjaooikfcpapjohcfmg [2014-02-04]
CHR Extension: (LastPass: Free Password Manager) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\hdokiejnpimakedhajhdlcegeplioahd [2013-06-21]
CHR Extension: (Chrome Hotword Shared Module) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\lccekmodgklaepjeofjdjpbminllajkg [2015-03-11]
CHR Extension: (Google Wallet) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (Dashlane Search) - C:\Users\Jim\AppData\Local\Google\Chrome\User Data\Default\Extensions\nnimjdijgakingbgempmgkdgfhmmogah [2014-07-29]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2012-09-23]
StartMenuInternet: Google Chrome.3QA2LMI57PR7SKSX3U3K6BDIZY - C:\Users\Jim\AppData\Local\Google\Chrome\Application\chrome.exe
2015-04-18 00:23 - 2015-04-18 00:23 - 00000000 ____D () C:\ProgramData\6467019769728057092
2015-04-18 00:20 - 2015-04-18 01:13 - 00000000 ____D () C:\ProgramData\{19079dab-850b-e1b9-1907-79dab85076ae}
2015-03-26 10:02 - 2015-03-26 10:02 - 00000000 __SHD () C:\Users\Jim\AppData\Local\EmieBrowserModeList
2015-04-19 10:55 - 2013-07-18 14:09 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-04-19 10:54 - 2014-12-25 13:30 - 00001272 ____H () C:\Windows\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97}.job
2015-04-19 10:50 - 2012-12-01 19:06 - 00000900 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1853225634-1185179328-766844407-1000UA.job
2015-04-18 17:41 - 2012-12-01 19:06 - 00000848 _____ () C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1853225634-1185179328-766844407-1000Core.job
C:\Windows\Tasks\{3A1B2112-3617-4D99-BF54-7AB8F9D18F97}.job
C:\Users\Jim\AppData\Local\Google
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

[tsmonk]

Ran the fix.  The Chrome icon was removed from quick launch so I tried IE but it will not run.  Found Chrome in the start menu though. Here is the log. 

Attached Files

•  Fixlog.txt   15.88KB   183 downloads

[Essexboy]

What error do you get when you try to run IE

How is the computer at the moment

[tsmonk]

Computer seems fine. Need to import bookmarks and extensions. Chrome does not show up in Revo or Windows Programs and Features. Attached is the standard Window message about IE crashing. Don't use it much so no big loss. 

Attached Thumbnails

• 

[Essexboy]

Could you try the MS fixit here https://support.micr...ance_and_safetyif that doesn't work I have another tool to try

[tsmonk]

Did not work. Meanwhile, Chrome icon is that funky generic type. Also, I cannot install Dashlane password extension.

Attached Thumbnails

• 

[tsmonk]

So here's where I'm at currently. Dashlane extension installed and working. In desperation, I re-installed Chrome and got the standard icons back (not sure how, but I am not arguing with success). It looks like a new version of Chrome.  IE seems to be working as well. Again, not sure how. (Fools rush in approach). I un- checked  IE in "Turn Windows feature on or off" and then re-checked. This caused it to disappear from both the Start menu and All Programs list.  I navigated to iexplore.exe in Program files (x86) and pined it to the start menu. I don't know how to get it to appear in All Programs. It seems to be running fine for now. I was worried about Windows Update  so I ran a check for updates from All Programs and it seems to be working as well. Fingers crossed.

 

Addendum:  Added IE to Start menu via right click on All Programs, drag and drop and rename iexplore.exe in Start Menu>Programs. 

Edited by tsmonk, 19 April 2015 - 08:12 PM.

[Essexboy]

Are you happy for me to tidy up now ?

[tsmonk]

Let's do it. I noticed one thing this morning. I run Ccleaner just about every morning to clear the internet cache, etc. This morning Ccleaner prompted me to close Chrome even though I already had. So it appears to be running some processes in the background. I can have Ccleaner  close it but why is it still running?

Edited by tsmonk, 20 April 2015 - 10:28 AM.

[Essexboy]

That is probably the updater however, it does not sound quite right. I wonder if it has reset to developer mode.

Could you run a quick FRST scan to check