Author Topic: Trojan virus won't go away. Chrome Talk.Gadget.Google - JS:ScriptPE-inf [Trj]  (Read 12510 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
I think I have done everything I possibly can to get rid of this virus I downloaded (malwarebytes and spybot run in safe mode, command prompt techniques I found on YouTube, etc.) and I can't seem to get avast to stop popping up this alert while using Chrome. I've even uninstalled Chrome and re-installed it.

I'm using the most up-to-date free version of Avast.

I'm out of ideas. Any help would be greatly appreciated.

Here's what the alert says.




« Last Edit: December 18, 2014, 06:18:21 PM by awallen44 »

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6700
  • Trust only what you test yourself!
Get rid of SpyBot, it's useless. And running any anti-whatever isn't very effective in safe mode.

Follow the instructions here https://forum.avast.com/index.php?topic=53253.0
Post your logs here in this thread. I will contact a malware removal expert.
Please have patience it could be a while.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

REDACTED

  • Guest
Thanks Para-Noid.

I'll do so and be patient.

Thank you for your help.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Do you have chrome synch enabled ?

REDACTED

  • Guest
Here are the logs.

I keep getting an "Avast! Anti rootkit has stopped working" message when running the aswMBR program though so I don't have that log.

If you definitely need that log, and have any insight to why I keep getting that error let me know.

But hopefully these three logs are enough to figure it out.

Thanks again.

REDACTED

  • Guest
essexboy

I am signed into Chrome, and I believe it does sync bookmarks, apps, extensions, settings etc.

Is that what you're referring to?

Thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Yes that is it, do not synch the following or it will just come back again :

apps
extensions
settings


CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
SearchScopes: HKLM-x32 -> DefaultScope {AF596DD4-7D01-4CAB-9CA1-C8E8BAFEDA9F} URL =
SearchScopes: HKU\S-1-5-21-1475645083-3395704770-2603585893-1005 -> {AF596DD4-7D01-4CAB-9CA1-C8E8BAFEDA9F} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN15352417461241118&UM=2
Toolbar: HKU\S-1-5-21-1475645083-3395704770-2603585893-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
CHR HKU\S-1-5-21-1475645083-3395704770-2603585893-1005\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path
CHR HKLM-x32\...\Chrome\Extension: [bpegkgagfojjbcpkihigfmkojdmmimdf] - No Path
CHR HKLM-x32\...\Chrome\Extension: [ehgldbbpchgpcfagfpfjgoomddhccfgh] - No Path
2014-12-17 08:13 - 2014-12-17 11:47 - 00000000 ____D () C:\Program Files (x86)\YaoutuubeAdiBloCke
2014-12-17 08:13 - 2014-12-17 08:13 - 00000000 ____D () C:\ProgramData\16169725370983171524
2014-12-17 08:11 - 2014-12-17 08:11 - 00000000 ____D () C:\ProgramData\jdimoipikediobfgaolddeekhjndlfib
C:\Windows\Tasks\At1.job
C:\Program Files (x86)\Uniblue
Task: {08AFC3FA-D7D5-4A54-AE3A-7E843C60CFB7} - System32\Tasks\{E9149E04-16E5-4AEF-B144-9E09C91101E1} => pcalua.exe -a D:\Downloads\Uniblue\RegistryBooster.exe -d D:\Downloads\Uniblue
Task: {19080476-EEFE-4C36-9CB5-A6D0E723FC53} - System32\Tasks\Uniblue SpeedUpMyPC Nag => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION
Task: {5B4A45E5-FCCA-45F7-BF07-9768E63D141C} - System32\Tasks\At1 => C:\Users\Goob\AppData\Local\Temp\mettask.exe <==== ATTENTION
Task: {8E27E238-6B04-4C27-8604-CB692D7CA503} - System32\Tasks\spmonitor => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe [2013-05-21] (Uniblue Systems Ltd) <==== ATTENTION
Task: {AC02BAF1-A367-4096-ABD8-F9FAA26E9ECE} - System32\Tasks\FreeHDSport TV-codedownloader => C:\Program Files (x86)\FreeHDSport TV\FreeHDSport TV-codedownloader.exe <==== ATTENTION
Task: {E697F3DC-6507-477C-AFF2-FD2CFD4D5630} - System32\Tasks\Uniblue SpyEraser => C:\Program Files (x86)\Uniblue\SpyEraser\SpyEraser.exe
Task: {F86109D0-48A3-4C3D-AE85-5347555911E6} - System32\Tasks\Uniblue SpeedUpMyPC => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION
Task: C:\Windows\Tasks\At1.job => C:\Users\Goob\AppData\Local\Temp\mettask.exe
Task: C:\Windows\Tasks\spmonitor.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe <==== ATTENTION
Task: C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION
Task: C:\Windows\Tasks\Uniblue SpeedUpMyPC.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION
Task: C:\Windows\Tasks\Uniblue SpyEraser.job => C:\Program Files (x86)\Uniblue\SpyEraser\SpyEraser.exe
C:\Users\Goob\AppData\Local\Temp\_MEI39802
C:\Users\Goob\AppData\Local\Temp\mettask.exe
AlternateDataStreams: C:\Users\Goob\Cookies:uN5lc6pJlo6VDjmGeOhf
AlternateDataStreams: C:\Users\Goob\AppData\Local\Temp:7Voom1FkrIBh22B9
CreateRestorePoint:
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Scan.
  • After the scan is complete click on "Clean"
  • Confirm each time with Ok.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

REDACTED

  • Guest
Thanks essexboy

Here's the log from the fix.

I'll do the AdwCleaner now as well.


REDACTED

  • Guest
Here's the adwcleaner log.

Also, I noticed my volume controls on my keyboard are not working. I've run into this before though, and I believe it was that I had to re-install some drivers for my computer.

Does that sound about right? As it happened after I did the fixlist.txt step.

Thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Checking the fix nothing related to keyboard actions was removed so that is a bit weird..   Is chrome behaving itself now ?

REDACTED

  • Guest
Darn.

I thought it was doing well and fixed, until I just restarted, and now it's showing up again.

What's next  :-\

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Did you delete the synch data, if not then every time you start chrome it will come back

I would highly recommend that you delete all synch data and then run a fresh FRST scan

REDACTED

  • Guest
Thanks again essexboy.

I have deleted my sync data, and have run a new frst scan.

I have attached the frst.txt and the addition.txt.

Let me know if I need to do a fixlist again.

Thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
A minor tidy up now, once done could you let me know if the alerts have ceased

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 
Quote
CreateRestorePoint:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL =
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL =
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {65DEE40A-3E93-4cae-9F98-B8E06DCEE2BF} ->  No File
AlternateDataStreams: C:\Users\Goob\Cookies:uN5lc6pJlo6VDjmGeOhf
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

REDACTED

  • Guest
Again I thought it was working well, until I tried signing into my work gmail account, where the chat has been having problems connecting since the infection.

So I noticed there are some error codes going on there, which I have taken a screenshot of.

Once the gchat stops trying to sign in, the alerts stop. Maybe that's why it says talkgadget.google for the url of the alert?

I pray that I didn't infect my work account. Do you have any insight on how to fix this?

The errors are 213, 215, 216, 202

Thank you.



p.s. I've also attached the fixlog.txt from the new frst fix.