Author Topic: malware, please help (Read 7044 times)

chockoladien · « **on:** July 09, 2013, 10:03:39 PM »

Hi, i need help please

today i updated Java 7 and DivX too, but right after google chrome restarted and when it did a malware pop up appeared and its moved to quarentine, and everytime i open chrome it does the same, i tried the avast scan, ccleaner scan too, tried to find the file but couldnt do it. i uninstalled divx and a couple of things installed today, one named conduit and other i hink it was crx extension, i dont remenber the name.
i atached an image of the warning pop up window .

essexboy · « **Reply #1 on:** July 09, 2013, 11:30:01 PM »

Hi try this first

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

chockoladien · « **Reply #2 on:** July 09, 2013, 11:47:11 PM »

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055505560}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066506660}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36BCB13-778D-4A40-99C1-D686086D268F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16618

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Claudia Duarte\AppData\Roaming\Mozilla\Firefox\Profiles\5g50u4p9.default\prefs.js

C:\Users\Claudia Duarte\AppData\Roaming\Mozilla\Firefox\Profiles\5g50u4p9.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

-\\ Google Chrome v27.0.1453.116

File : C:\Users\Claudia Duarte\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [6526 octets] - [09/07/2013 22:39:43]

########## EOF - C:\AdwCleaner[S1].txt - [6586 octets] ##########

chockoladien · « **Reply #3 on:** July 09, 2013, 11:48:58 PM »

Quote from: essexboy on July 09, 2013, 11:30:01 PM

Hi try this first

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

i didnt know if i should quote or not....
the info in the notepad right?

Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011501160}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Savings Sidekick
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550055505560}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066506660}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A36BCB13-778D-4A40-99C1-D686086D268F}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2FA28606-DE77-4029-AF96-B231E3B8F827}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{D43B3890-80C7-4010-A95D-1E77B5924DC3}

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16618

[OK] Registry is clean.

-\\ Mozilla Firefox v [Unable to get version]

File : C:\Users\Claudia Duarte\AppData\Roaming\Mozilla\Firefox\Profiles\5g50u4p9.default\prefs.js

C:\Users\Claudia Duarte\AppData\Roaming\Mozilla\Firefox\Profiles\5g50u4p9.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");

-\\ Google Chrome v27.0.1453.116

File : C:\Users\Claudia Duarte\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [6526 octets] - [09/07/2013 22:39:43]

########## EOF - C:\AdwCleaner[S1].txt - [6586 octets] ##########

essexboy · « **Reply #4 on:** July 10, 2013, 03:48:17 PM »

Are you still getting alerts ?

chockoladien · « **Reply #5 on:** July 10, 2013, 05:46:41 PM »

yes, the same warning, i guess its trying to run something everytime i open chrome

essexboy · « **Reply #6 on:** July 10, 2013, 06:40:28 PM »

OK next phase

Download OTL to your Desktop
Secondary link

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

Select All Users
Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT

Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Post both logs

chockoladien · « **Reply #7 on:** July 10, 2013, 07:23:08 PM »

the files are attached

essexboy · « **Reply #8 on:** July 10, 2013, 08:03:59 PM »

OK bane of my life is Chrome

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

Under the Custom Scans/Fixes box at the bottom, paste in the following

Code: [Select]

:Commands
[CREATERESTOREPOINT]

:OTL
[2013-07-09 19:18:21 | 000,081,768 | ---- | C] (Conduit) -- C:\ministub.exe

:Commands
[resethosts]
[emptytemp]
[Reboot]

Then click the Run Fix button at the top
Let the program run unhindered, reboot the PC when it is done
Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Restart Chrome in Incognito mode and let me know if the alerts cease https://support.google.com/chrome/answer/95464?hl=en-GB

chockoladien · « **Reply #9 on:** July 10, 2013, 09:58:31 PM »

the warning continues to appear even after this.

essexboy · « **Reply #10 on:** July 10, 2013, 11:16:51 PM »

Even when you run Chrome in Incognito mode

chockoladien · « **Reply #11 on:** July 10, 2013, 11:34:52 PM »

essexboy · « **Reply #12 on:** July 11, 2013, 03:24:34 PM »

OK one element of your Chrome installation has been subborned - It is in Chrome only ?

Do a full uninstall of Chrome using these instructions https://support.google.com/chrome/answer/111899?hl=en-GB

chockoladien · « **Reply #13 on:** July 11, 2013, 06:45:46 PM »

hey
i cant do the 3 step which is saving the link as , i cant save it, it says its a server problem

what about i unnistal with the unninstalling program, i didnt try it yet, wouldnt work the same way?

essexboy · « **Reply #14 on:** July 11, 2013, 08:29:30 PM »

Yes uninstall via control panel and then delete all google chrome related folders in progrm files and appdata

Author Topic: malware, please help (Read 7044 times)

chockoladien

malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help

chockoladien

Re: malware, please help

essexboy

Re: malware, please help