Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Adware Infection on Chrome Only


  • This topic is locked This topic is locked

#1
Braind

Braind

    Member

  • Member
  • PipPipPip
  • 246 posts

Hello.

My Chrome bowser has adware that creates pop ads on every website that I visit. I have tried these scans: Windows Defender, Malwarebytes Anti-Malware, the free Sophos anti-malware, SuperAntiSpyware, plus other anti-malware and I can't get rid of this.

I have a HP Pavilion p7- 1080t PC with Windows 10, x64 OS.

Note: I had to add the FRST scan results as attachments because I kept receiving a "403 Error message Forbidden" whenever I hit the Post New Topic button with the scan results in the body of the posting.

Attached Files


  • 0

Advertisements


#2
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hi! My name is zep516 and Welcome to Geekstogo!
I'll do the best I can to resolve your computer issue
Please make sure to carefully read any instruction that I give you. If you're not sure, or if something unexpected happens, don't continue Stop and ask! Never be afraid to ask questions! :)

Why do you have fixlist's in your downloads folder ?
2016-09-08 18:45 - 2016-09-08 18:45 - 00005826 _____ C:\Users\Brian\Downloads\fixlist (5).txt
2016-09-08 18:26 - 2016-09-08 18:26 - 00005826 _____ C:\Users\Brian\Downloads\fixlist (4).txt
2016-09-07 23:04 - 2016-09-07 23:04 - 00005826 _____ C:\Users\Brian\Downloads\fixlist (3).txt
2016-09-07 22:55 - 2016-09-07 22:55 - 00005826 _____ C:\Users\Brian\Downloads\fixlist (2).txt
Remove them now.


Next
Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the logfile button and the log will open in Notepad.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished and the PC has rebooted.
  • Please post the content of that log file with your next answer.
  • The report will be saved in the C:\AdwCleaner folder.

    Next
    Please download Junkware Removal Tool to your Desktop.
    Please close your security software to avoid potential conflicts. See Here how to disable you security protection (Anti Virus)
    Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
    The tool will open and start scanning your system.
    Please be patient as this can take a while to complete, depending on your system's specifications.
    On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
    Please post the contents of JRT.txt into your reply.
Next
A few items to fix using frst
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Open notepad (Start =>All Programs => Accessories => Notepad).
Copy/Paste the contents of the code box below into Notepad.

start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1563961910-250262785-1644635927-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
SearchScopes: HKLM -> OldSearch URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = 
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F2B5E2C6-4DFD-420A-80B7-6DDC3D8989CA} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F813F595-1DA6-4476-915D-E3C2FDF0B758} URL = hxxp://www.google.com/cse?cx=partner-pub-6697027465779297:3144322079&ie=ISO-8859-1&sa=Search&q={searchTerms}
C:\ProgramData\fontcacheev1.dat
Task: {1FCFDC38-73AA-4DD7-87D9-99A1ABEE1600} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:
  • Click Format and ensure Wordwrap is unchecked.
  • Save as Fixlist.txt to your Desktop (Must be in this location)
  • Run FRST/FRST64 and press the Fix button just once and wait.
  • If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
  • The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
  • Note: If the tool warns you about the version you're using being an outdated version please download and run the updated version.

    Please post these log
  • The AdwCleaner [C1].txt Log
  • The JRT.txt Log
  • Fixlog.txt

    Chrome still acting up
    Then delete the Chrome short cut from the desktop and create another one.

    Thanks
    Joe :)

    Will not return until late Saturday afternoon early evening.

  • 0

#3
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

Thanks.

Here are the logs:

 

# AdwCleaner v6.010 - Logfile created 10/09/2016 at 18:25:40
# Updated on 12/08/2016 by ToolsLib
# Database : 2016-09-10.1 [Server]
# Operating System : Windows 10 Home  (X64)
# Username : Brian - BRIAN-HP
# Running from : C:\Users\Brian\Downloads\adwcleaner_6.010 (1).exe
# Mode: Clean
 
 
 
***** [ Services ] *****
 
 
 
***** [ Folders ] *****
 
 
 
***** [ Files ] *****
 
 
 
***** [ DLL ] *****
 
 
 
***** [ WMI ] *****
 
 
 
***** [ Shortcuts ] *****
 
 
 
***** [ Scheduled Tasks ] *****
 
 
 
***** [ Registry ] *****
 
 
 
***** [ Web browsers ] *****
 
[-] [r] [Search Provider] Deleted: r
[-] [blekko.com] [Search Provider] Deleted: blekko.com
[-] [aol.com] [Search Provider] Deleted: aol.com
[-] [ask.com] [Search Provider] Deleted: ask.com
[-] [websearch.ask.com] [Search Provider] Deleted: websearch.ask.com
[-] [mysearch.avg.com] [Search Provider] Deleted: mysearch.avg.com
[-] [search.ask.com] [Search Provider] Deleted: search.ask.com
 
 
*************************
 
:: "Tracing" keys deleted
:: Winsock settings cleared
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [5137 Bytes] - [29/06/2016 20:50:33]
C:\AdwCleaner\AdwCleaner[C2].txt - [2416 Bytes] - [07/09/2016 22:39:08]
C:\AdwCleaner\AdwCleaner[C3].txt - [1284 Bytes] - [10/09/2016 18:25:40]
C:\AdwCleaner\AdwCleaner[S1].txt - [7111 Bytes] - [29/06/2016 19:35:09]
C:\AdwCleaner\AdwCleaner[S2].txt - [4996 Bytes] - [29/06/2016 20:45:50]
C:\AdwCleaner\AdwCleaner[S3].txt - [2796 Bytes] - [07/09/2016 22:37:36]
C:\AdwCleaner\AdwCleaner[S4].txt - [2193 Bytes] - [10/09/2016 18:25:02]
 
########## EOF - C:\AdwCleaner\AdwCleaner[C3].txt - [1649 Bytes] ##########
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.7 (07.03.2016)
Operating System: Windows 10 Home x64 
Ran by Brian (Administrator) on Sat 09/10/2016 at 18:40:07.58
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 6 
 
Successfully deleted: C:\Users\Brian\AppData\Local\crashrpt (Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla (Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Extensions\fanogbnclpilemkifpjeglokomebpnef (Folder) 
Successfully deleted: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ajpgkpeckebdhofmmjfgcjjiiejpodla_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_ajpgkpeckebdhofmmjfgcjjiiejpodla_0.localstorage (File) 
Successfully deleted: C:\Users\Brian\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_fanogbnclpilemkifpjeglokomebpnef_0.localstorage (File) 
 
 
 
Registry: 4 
 
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{C46296C9-9FB6-4509-8294-68FA8F44E6DB} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{F813F595-1DA6-4476-915D-E3C2FDF0B758} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{C46296C9-9FB6-4509-8294-68FA8F44E6DB} (Registry Key)
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/10/2016 at 18:44:42.54
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
Fix result of Farbar Recovery Scan Tool (x64) Version: 31-08-2016
Ran by Brian (10-09-2016 18:51:27) Run:3
Running from C:\Users\Brian\Downloads
Loaded Profiles: Brian (Available Profiles: Brian & DefaultAppPool)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL =
FF Plugin HKU\S-1-5-21-1563961910-250262785-1644635927-1001: @hulu.com/Hulu Desktop -> C:\Users\Default.migrated\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll [No File]
FF HKU\S-1-5-21-1563961910-250262785-1644635927-1001\...\Firefox\Extensions: [[email protected]] - C:\Users\Brian\AppData\Roaming\Dashlane\3.6.0.97092\Extensions\JetPack_expanded\[email protected] => not found
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggTdgpdUg4TERgRcg5eTA1BF1EOIVpbBxRIEVdHJgEJAl8UQwQFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE6T1pU"
U3 idsvc; no ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
Task: {21A8972F-F82B-439F-950B-2B0A8A4B4EB7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D26EA5F5-70FD-4338-9E4D-493EEB5AF8AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D96448E4-FD9F-41FE-8DAC-AA34F46B8DFD} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E43372F5-C9FD-400E-8679-530A33C405E9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3405A3D3-8CA2-4CA9-8BE6-43537AE3CE04} - System32\Tasks\ModemBooster_networkMonitor => C:\Program Files (x86)\inKline Global\Modem Booster\mbtray.exe
Task: {F4527842-FB71-44AD-BC7E-8B82C84A2247} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_22_0_0_192_pepper.exe
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {EC38A472-87B2-4E3E-8034-92E250279398} - System32\Tasks\ModemBooster_notification => C:\Program Files (x86)\inKline Global\Modem Booster\ModemBooster.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForBRIAN-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForBrian.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials for QuickBooks, Quicken and TurboTax.lnk -> hxxp://redirect.hp.com/svs/rdr?locale=en_us&bd=pavilion&tp=onlinesvs&s=quickenfc&pf=cndt&c=113&TYPE=4EC:\Program Files (x86)\Online Services\quickenfc\financial_center.ico (No File)
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
 
 
 
 
 
 
 
 
*****************
 
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value restored successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found. 
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => key not found. 
HKU\S-1-5-21-1563961910-250262785-1644635927-1001\Software\MozillaPlugins\@hulu.com/Hulu Desktop => key not found. 
C:\Users\Default.migrated\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll => not found.
HKU\S-1-5-21-1563961910-250262785-1644635927-1001\Software\Mozilla\Firefox\Extensions\\[email protected] => value not found.
RestoreOnStartup => not found.
idsvc => service not found.
MREMPR5 => service not found.
MRENDIS5 => service not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{21A8972F-F82B-439F-950B-2B0A8A4B4EB7} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D26EA5F5-70FD-4338-9E4D-493EEB5AF8AC} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\launchtrayprocess => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D96448E4-FD9F-41FE-8DAC-AA34F46B8DFD} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxcontent => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E43372F5-C9FD-400E-8679-530A33C405E9} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3405A3D3-8CA2-4CA9-8BE6-43537AE3CE04} => key not found. 
C:\WINDOWS\System32\Tasks\ModemBooster_networkMonitor => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ModemBooster_networkMonitor => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F4527842-FB71-44AD-BC7E-8B82C84A2247} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\gwx\refreshgwxconfig => key not found. 
C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => moved successfully
C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EC38A472-87B2-4E3E-8034-92E250279398} => key not found. 
C:\WINDOWS\System32\Tasks\ModemBooster_notification => not found.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ModemBooster_notification => key not found. 
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => moved successfully
C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => moved successfully
C:\WINDOWS\Tasks\HPCeeScheduleForBRIAN-HP$.job => moved successfully
C:\WINDOWS\Tasks\HPCeeScheduleForBrian.job => moved successfully
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials for QuickBooks, Quicken and TurboTax.lnk => moved successfully
 
========= for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" =========
 
Failed to clear log AirSpaceChannel. The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.
Failed to clear log Microsoft-Windows-LiveId/Analytic. Access is denied.
Failed to clear log Microsoft-Windows-LiveId/Operational. Access is denied.
 
========= End of CMD: =========
 
 
==== End of Fixlog 18:52:27 ====

  • 0

#4
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

Unfortunately, the adware is still present, even after I unpinned Chrome from the task bar.


  • 0

#5
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Hello,

Looks like some confusion here.

You never ran my Fixlist. It looks like you ran another Fixlist meant for another user.
  • 0

#6
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

This is the only fixlist that I saw:

 

start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1563961910-250262785-1644635927-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
SearchScopes: HKLM -> OldSearch URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDFPCarrow-10x10.png=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDFPCarrow-10x10.png=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDFPCarrow-10x10.png=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL =
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F2B5E2C6-4DFD-420A-80B7-6DDC3D8989CA} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F813F595-1DA6-4476-915D-E3C2FDF0B758} URL = hxxp://www.google.com/cse?cx=partner-pub-6697027465779297:3144322079&ie=ISO-8859-1&sa=Search&q={searchTerms}
C:\ProgramData\fontcacheev1.dat
Task: {1FCFDC38-73AA-4DD7-87D9-99A1ABEE1600} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
CMD: bitsadmin /reset /allusers
CMD
: netsh winsock reset catalog
CMD
: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:


  • 0

#7
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Then what is this

SearchScopes: HKLM -> DefaultScope value is missing
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL =
FF Plugin HKU\S-1-5-21-1563961910-250262785-1644635927-1001: @hulu.com/Hulu Desktop -> C:\Users\Default.migrated\AppData\Local\HuluDesktop\instances\0.9.13.1\nphdplg.dll [No File]
FF HKU\S-1-5-21-1563961910-250262785-1644635927-1001\...\Firefox\Extensions: [[email protected]] - C:\Users\Brian\AppData\Roaming\Dashlane\3.6.0.97092\Extensions\JetPack_expanded\[email protected] => not found
CHR RestoreOnStartup: Default -> "hxxp://searchinterneat-a.akamaihd.net/h?eq=U0EeCFZVBB8SRggTdgpdUg4TERgRcg5eTA1BF1EOIVpbBxRIEVdHJgEJAl8UQwQFIk0FA1oDB0VXfV5bFElXTwhwJVhKAlE6T1pU"
U3 idsvc; no ImagePath
S3 MREMPR5; \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS [X]
S3 MRENDIS5; \??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS [X]
Task: {21A8972F-F82B-439F-950B-2B0A8A4B4EB7} - \Microsoft\Windows\Setup\gwx\refreshgwxconfigandcontent -> No File <==== ATTENTION
Task: {D26EA5F5-70FD-4338-9E4D-493EEB5AF8AC} - \Microsoft\Windows\Setup\gwx\launchtrayprocess -> No File <==== ATTENTION
Task: {D96448E4-FD9F-41FE-8DAC-AA34F46B8DFD} - \Microsoft\Windows\Setup\gwx\refreshgwxcontent -> No File <==== ATTENTION
Task: {E43372F5-C9FD-400E-8679-530A33C405E9} - \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B -> No File <==== ATTENTION
Task: {3405A3D3-8CA2-4CA9-8BE6-43537AE3CE04} - System32\Tasks\ModemBooster_networkMonitor => C:\Program Files (x86)\inKline Global\Modem Booster\mbtray.exe
Task: {F4527842-FB71-44AD-BC7E-8B82C84A2247} - \Microsoft\Windows\Setup\gwx\refreshgwxconfig -> No File <==== ATTENTION
Task: C:\WINDOWS\Tasks\Adobe Flash Player PPAPI Notifier.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashUtil32_22_0_0_192_pepper.exe
Task: C:\WINDOWS\Tasks\Adobe Flash Player Updater.job => C:\WINDOWS\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
Task: {EC38A472-87B2-4E3E-8034-92E250279398} - System32\Tasks\ModemBooster_notification => C:\Program Files (x86)\inKline Global\Modem Booster\ModemBooster.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForBRIAN-HP$.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Task: C:\WINDOWS\Tasks\HPCeeScheduleForBrian.job => C:\Program Files (x86)\Hewlett-Packard\HP Ceement\HPCEE.exe
Shortcut: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Free Trials for QuickBooks, Quicken and TurboTax.lnk -> hxxp://redirect.hp.com/svs/rdr?locale=en_us&bd=pavilion&tp=onlinesvs&s=quickenfc&pf=cndt&c=113&TYPE=4EC:\Program Files (x86)\Online Services\quickenfc\financial_center.ico (No File)
CMD: for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"


Because that is what you ran. You did not run mine.
  • 0

#8
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

I don't know what this one is or where it came from.


  • 0

#9
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
I don't know either.

Is there a Fixlist on your desktop ?
  • 0

#10
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

Yes and this is it:

 

start
CloseProcesses:
CreateRestorePoint:
HKLM-x32\...\Run: [] => [X]
HKU\S-1-5-21-1563961910-250262785-1644635927-1001\Software MICROSOFT\Internet Explorer\Main,Start Page = hxxps://www.yahoo.com/?fr=yset_ie_syc_oracle&type=orcl_hpset
SearchScopes: HKLM -> OldSearch URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = hxxp://www.bing.com/search?q={searchTerms}&form=HPDTDF&pc=HPDTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = 
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = hxxp://search.yahoo.com/search?p={searchTerms}&ei={inputEncoding}&fr=chr-hp-psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {C46296C9-9FB6-4509-8294-68FA8F44E6DB} URL = hxxp://www.amazon.com/s/ref=azs_osd_iea?ie=UTF-8&tag=hp-us1-vsb-20&link%5Fcode=qs&index=aps&field-keywords={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = hxxp://en.wikipedia.org/wiki/Special:Search?search={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = hxxp://rover.ebay.com/rover/1/711-30572-11896-1/4?mpre=hxxp://shop.ebay.com/?_nkw={searchTerms}
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F2B5E2C6-4DFD-420A-80B7-6DDC3D8989CA} URL = hxxps://search.yahoo.com/search?p={searchTerms}&fr=yset_ie_syc_oracle&type=orcl_default
SearchScopes: HKU\S-1-5-21-1563961910-250262785-1644635927-1001 -> {F813F595-1DA6-4476-915D-E3C2FDF0B758} URL = hxxp://www.google.com/cse?cx=partner-pub-6697027465779297:3144322079&ie=ISO-8859-1&sa=Search&q={searchTerms}
C:\ProgramData\fontcacheev1.dat
Task: {1FCFDC38-73AA-4DD7-87D9-99A1ABEE1600} - \OfficeSoftwareProtectionPlatform\SvcRestartTask -> No File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:5C321E34 [125]
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService => ""="service"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\SAVService => ""="service"
CMD: bitsadmin /reset /allusers
CMD: netsh winsock reset catalog
CMD: ipconfig /flushdns
RemoveProxy:
hosts:
Emptytemp:

  • 0

Advertisements


#11
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
OK Good,

Is FRST64.EXE on the desktop ?
index_zpsae74eeb3.png

Make sure it is, if it isn't then check here for FRST64.EXE-->C:\Users\Brian\Downloads\

If FRST64.EXE is in the downloads folder, move it to the desktop.
To do that
Navigate to the downloads folder,(C:\Users\Brian\Downloads\) right click on FRST64.EXE choose cut.
Go back to the desktop.
Right click on empty area, choose paste, FRST will have been moved to the desktop.

Make sure there are no old FIXLOG.txt files on the desktop, if there are right click and delete them. Keep only one FIXLIST on the desktop the one that you said you had... If there are any others delete them.

Now that FRST64.EXE and FIXLIST are on the desktop.
Right click on FRST, "Run as Administrator".
When FRST opens. click Fix.
On the desktop find FIXLOG.TXT
Post Fixlog.txt in your next reply.

This fix may or may not fix Chrome. If it does not fix Chrome then try resetting Chrome.
To do that
1.In the top-right corner of the browser window, click the Chrome menu
2.Select Settings.
3.At the bottom, click Show advanced settings.
4.Under the section "Reset settings,” click Reset settings.
5.In the dialog that appears, click Reset.

I'll return Late Sunday afternoon.
  • 0

#12
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

Well now i have a new virus!

 

FRST64.EXE  was in my downloads folder but has now been deleted (and NOT by me). Windows Defender says it found some malware and is removing it. Yet, I can't download FRST64.EXE because it says there is a virus and my PC won't download FRST64.EXE  now.

So I am running Malwarebytes Anti-malware now and it could take another 1.5 hours to complete this scan. Do you have any other suggestions?


  • 0

#13
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Let Malwarebytes run, it should not take 1.5 hours. Post the malwarebytes log.

To do that
Open MBAM after it's finished scanning.
  • Click on the History tab > Application Logs.
  • Double click on the Scan Log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • post that saved log to your next reply.



  • 0

#14
Braind

Braind

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 246 posts

Here is the MBAM scan results:

 

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 9/11/2016
Scan Time: 7:40 PM
Logfile: MBAM Scan Results.txt
Administrator: Yes
 
Version: 2.2.1.1043
Malware Database: v2016.09.11.09
Rootkit Database: v2016.08.15.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 10
CPU: x64
File System: NTFS
User: Brian
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 372007
Time Elapsed: 1 hr, 18 min, 46 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 1
PUP.Optional.DriverAgentPlus, HKU\S-1-5-21-1563961910-250262785-1644635927-1001\SOFTWARE\ESUPPORT.COM\DriverAgent, Quarantined, [18cd81ef8c0e77bf1a3523dc51b2b14f], 
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)

  • 0

#15
zep516

zep516

    Trusted Helper

  • Malware Removal
  • 6,811 posts
Can we download FRST64.EXE to the desktop ?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP