Avast WEBforum
Other => Viruses and worms => Topic started by: REDACTED on December 14, 2017, 05:34:02 PM
-
Hello,
I posted a couple days ago about click-now-on.me. Avast didn't find/remove it. It seems to be connected to my Chrome browser. When Chrome is running, even when I view different programs, I get popups about every 15-30- minutes. Also, the whole system is noticeably slower. Got a few suggestions from the last post--namely running Malwarebytes adware remover and then regular Malwarebytes. Neither program fixed the issue. I also ran the Farbar Recovery Scan Tool, but it didn't find problems. I'll attach logs below. (Can't seem to find the one from regular Malwarebytes; not sure if it generated a log?)
-
I also ran the Farbar Recovery Scan Tool, but it didn't find problems.
FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?
Malware/log expert is notified
-
I also ran the Farbar Recovery Scan Tool, but it didn't find problems.
FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?
Malware/log expert is notified
Not the Malware Expert;
GroupPolicy: Restriction <==== ATTENTION
GroupPolicyUsers\S-1-5-21-959321219-2679882598-892267368-1000\User: Restriction <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION <-- Microsoft's "Malware Removal Tool"
-
- Open Notepad (click Start button -> type notepad.exe -> press Enter)
- Copy text from code block below and paste it into Notepad
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="
- Go to File -> Save As
- Make sure that UTF-8 is selected as Encoding (left side of Save button)
- Save it as fixlist.txt on Desktop
- Open again FRST and click on button Fix
- Wait until FRST finishes
- fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.
After that, opet Chrome Extension Manager and remove:
Honey
InvisibleHand
-
Can't figure out how to add another file to my post. Here is the Fixlog text:
Fix result of Farbar Recovery Scan Tool (x64) Version: 13-12-2017
Ran by David (14-12-2017 15:04:22) Run:1
Running from C:\Users\David\Desktop
Loaded Profiles: David & Jazmyne & Ruby & Jasper & visitor (Available Profiles: David & Jazmyne & Ruby & Jasper & visitor & DefaultAppPool)
Boot Mode: Normal
==============================================
fixlist content:
*****************
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="
*****************
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
"Chrome HomePage" => removed successfully
"Chrome StartupUrls" => removed successfully
==== End of Fixlog 15:04:23 ====
-
Use the 'Attachments and other options' (below the reply window) in a new post, as you did before. You don't have to attach it to your first post if that is what you are asking/thinking. That is possibly not wise as it could be missed or confuse.
-
As I already inserted all the text from the file that was generated, do you still need me to attach said file?
-
As I already inserted all the text from the file that was generated, do you still need me to attach said file?
No ... it was just a answer to your "Can't figure out how to add another file to my post."
-
OK, thanks. Just would really like to get rid of this bug, and if it is indeed causing my system to lag, even more so!
-
Have you removed following Chrome extensions?
Honey
InvisibleHand
-
Yes. I installed them 3 months ago, and never (seemed to) have problems with them. But am happy to do whatever you and others say I need to do to get rid of this horrible popup malady.
df
-
Can you make screenshot of that popup? Do you have any other PC/laptop experiencing the same issue?
Disable (not delete) Chrome extensions one by one and test if that popup will appear until you found which extension is responsible. All extensions you have are still on Chrome Web Store and for none in description ads are mentioned.
-
I will make a screenshot of the popup next time it appears. That might be tomorrow, as I'm ready to retire my computer work for tonight. I don't notice any other apps on chrome that weren't there before this happened.
Thank you very much for your help!!!
df
-
So as it happens, this popped up just as I pressed send.
-
In a meantime, visit this URL in Chrome:
chrome://serviceworker-internals/
It will show you service workers in your browser and use option Unregister for all of them.
-
Just ran the service worker. The first on the list that appeared was click-now-on.me. I unregistered for that and about 4 others that I don't think I need. (I left things like Google Drive and YouTube, or should I remove those, too?)
I'll reply here again if I get more popups. Am I right that the click-now-on.me is slowing down my computer? I'll watch that, too, to see if it improves.
Thanks for your help!
df
-
It shouldn't slow down your computer. Waiting for your feedback.
-
I've had no more popups for the past several hours! I think you fixed it for me! Thanks!
I'll have to figure out what else is making my system so slow.
best,
David
-
• The following will implement some post-cleanup procedures:
=> Please download DelFix (https://toolslib.net/downloads/finish/2-delfix/) by Xplode to your Desktop.
Run the tool and check the following boxes below;
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Remove disinfection tools
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Create registry backup
(http://www.mcshield.net/personal/magna86/Images/checkmark.png) Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)
The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
-
I did as you directed, and here is the text that was generated at the end:
# DelFix v1.013 - Logfile created 16/12/2017 at 17:18:48
# Updated 17/04/2016 by Xplode
# Username : David - FUENTESHOME-PC
# Operating System : Windows 10 Home (64 bits)
~ Removing disinfection tools ...
Deleted : C:\FRST
Deleted : C:\AdwCleaner
Deleted : C:\log.txt
Deleted : C:\Users\David\Desktop\Addition.txt
Deleted : C:\Users\David\Desktop\adwcleaner_7.0.5.0.exe
Deleted : C:\Users\David\Desktop\Fixlog.txt
Deleted : C:\Users\David\Desktop\FRST.txt
Deleted : C:\Users\David\Desktop\FRST64.exe
~ Creating registry backup ... OK
~ Cleaning system restore ...
Deleted : RP #49 [Windows Update | 12/14/2017 14:34:16]
New restore point created !
########## - EOF - ##########
There were also about six error messages about not being able to save files:
Error saving file C:\WINDOWS\ERUNT\DelFix\SAM!
Continue with the next file?
[ RegSaveKeyEx: 183 - Cannot create a file when that tile already exists ]
Thanks for this additional help. My computer is definitely working much slower than usual. My wife thinks it's because it's old, but it came on suddenly. (Do computers get Alzheimer's? And does it come on suddenly?)
df