Desperately need help can't solve it with MBAM Premium or Avast

[REDACTED]

Desperately need help.  Avast keeps catching threats, yet chrome is continually popping up ad pages.  Pop ups are blocked and I get the warning to call for help with Windows Security.  Supposedly there is a bad virus, but I can't find it...ran MBAM Premium....the text is below...

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/3/2015
Scan Time: 12:53:35 PM
Logfile: MBAM Scan 03-04-15.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.03.03.05
Rootkit Database: v2015.02.25.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Rebecca

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 376736
Time Elapsed: 20 min, 14 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.ShoppingGate.A, C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage, Delete-on-Reboot, [b66b8eb36e1c90a6d084617434cfec14],
PUP.Optional.ShoppingGate.A, C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_inst.shoppingate.info_0.localstorage-journal, Delete-on-Reboot, [ef32122f3a50053177dd20b5798a51af],

Physical Sectors: 0
(No malicious items detected)


(end)

[Pondus]

Logs to assist in cleaning malware    https://forum.avast.com/index.php?topic=53253.0
Attach Farbar Recovery Scan Tool logs

[REDACTED]

Thanks so much!!

I'm currently in safe mode and have run the FRST and Addition scans.  I will attach them here.

[REDACTED]

I'm looking for a place to attach the files.....I must be blind, can't find it...looking for paperclip.

[REDACTED]

Found it!!

[Pondus]

Now you wait for essexboy, it may be a couple of hours before he is online

[REDACTED]

No problem.  I graciously thank you for your help, in advance!

[essexboy]

Chrome has been hijacked to the developer version and needs to be uninstalled, it can be re-installed on completion

Re-install Chrome
Unless you did this yourself, malware has changed your Chrome version into the Development Build. Among other things this allows malware to install any extension it wants. We need to resolve this.
1. If you have bookmarks, let's save them by exporting them - Export Bookmarks
2. Then I need you to go Google Sync and sign into your account
3. Scroll down until you see the "Stop and Clear" button and click on the button. At the prompt click on "Ok"
4. Now we need to uninstall chrome.
Note: When asked about user data or settings you must remove this also so please check the box.

NEXT

CAUTION :  This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:
 

CreateRestorePoint:
CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION
CHR Extension: (Advanced SystemCare Surfing Protection) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\bbmegnmpleoagolcnjnejdacakedpcgd [2014-07-18]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-15]
CHR Extension: (Avast SafePrice) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2014-11-11]
CHR Extension: (Chrome Voice Control) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\fboiibgbjljogjkebjcfhggbiponmpkk [2015-02-21]
CHR Extension: (Avast Online Security) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2014-11-06]
CHR Extension: (Advanced SystemCare Surfing Protection) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\nfengeggddojhakldhlpjdlddgkkjkdd [2013-12-17]
CHR Extension: (Google Wallet) - C:\Users\Rebecca\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-11-30]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChromeSp.crx [2014-11-21]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-11-21]
2015-02-21 01:57 - 2015-03-03 12:14 - 00000000 ____D () C:\Program Files (x86)\RandomPRiceo
2015-02-21 01:57 - 2015-03-03 12:14 - 00000000 ____D () C:\Program Files (x86)\NewSavvEr
2015-02-21 01:57 - 2015-02-21 01:57 - 00000000 ____D () C:\Program Files (x86)\Happy2Seave
2015-02-21 01:56 - 2015-02-21 01:56 - 00000000 ____D () C:\Program Files (x86)\Chrome Voice Control
2015-02-21 01:56 - 2015-02-21 01:56 - 00000000 ____D () C:\Program Files (x86)\ChhEAPMe
2015-02-21 01:54 - 2015-02-21 01:54 - 00000000 ____D () C:\ProgramData\oijcaikjkppgkikfdchgaodpnamegpcf
2015-02-20 17:19 - 2015-02-20 17:19 - 00596570 _____ () C:\Users\Rebecca\Downloads\CustomMobSpawner 3.2.0-DEV-R3.zip
2015-02-20 17:15 - 2015-03-03 06:45 - 00000000 ____D () C:\Program Files (x86)\PriiceCahop
2015-02-20 17:15 - 2015-03-03 06:45 - 00000000 ____D () C:\Program Files (x86)\PriceeCChoap
2015-02-20 17:15 - 2015-02-21 01:57 - 00000000 ____D () C:\ProgramData\15548207779450942160
2015-02-20 17:14 - 2015-02-20 17:14 - 00000000 ____D () C:\ProgramData\pcpabcjhlcehfhbbmleifaendnhamlph
2015-02-20 17:13 - 2015-02-20 22:34 - 00000000 ____D () C:\ProgramData\{c7223816-7722-31d7-c722-23816772e059}
2015-02-20 17:06 - 2015-02-20 17:08 - 21553653 _____ () C:\Users\Rebecca\Downloads\DrZharks MoCreatures Mod v6.2.1.zip
2015-02-20 16:59 - 2015-02-20 16:59 - 00003188 _____ () C:\Windows\System32\Tasks\{1971BE96-5E0C-4B1A-B7C7-B09D9030AE39}
2015-02-19 16:34 - 2015-02-19 16:34 - 00003204 _____ () C:\Windows\System32\Tasks\{C119A4F0-213B-470C-A4E2-8279947409C1}
Task: {6B66A140-ADB1-447C-A450-ECD45020705E} - System32\Tasks\{B556C170-9CEC-4E65-9AC8-3C96838CF91A} => pcalua.exe -a "C:\Program Files (x86)\Uninstall Information\97\4449\uninstall.exe" -c /PUninstall="HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\PC Performer_is1" /reg=32 /cid=97
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
C:\Program Files (x86)\Uninstall Information\97\444
C:\Users\Rebecca\AppData\Local\Google\Chrome
C:\Program Files (x86)\Google\Chrome
EmptyTemp:
CMD: bitsadmin /reset /allusers

 
Save this as fixlist.txt, in the same location as FRST.exe

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
  
• Click on Scan.
  
• After the scan is complete click on "Clean"
• Confirm each time with Ok.
  
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.
  

[REDACTED]

I'm on it!!  THANKS SO MUCH!!

[REDACTED]

Here is the text from Adwcleaner

# AdwCleaner v4.111 - Logfile created 03/03/2015 at 18:05:15
# Updated 18/02/2015 by Xplode
# Database : 2015-03-02.3 [Server]
# Operating system : Windows 7 Home Premium Service Pack 1 (x64)
# Username : Rebecca - REBECCA-HP
# Running from : C:\Users\Rebecca\Desktop\AdwCleaner.exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\Users\Rebecca\Favorites\Coupons
Folder Deleted : C:\ProgramData\Yahoo! Companion
Folder Deleted : C:\Program Files (x86)\Zhongwen A Chinese English Popup Dictionary

***** [ Scheduled tasks ] *****

Task Deleted : RunAsStdUser Task

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKCU\Software\Microsoft\Internet Explorer\DOMStorage\ask.com
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{DD1CFE82-CC89-497D-9573-B8B1867DDA09}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6C611186-DCCA-4C6D-9C97-29C6D07733EF}
Key Deleted : HKCU\Software\IObit Apps
Key Deleted : HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKCU\Software\AppDataLow\Software\IObit Apps
Key Deleted : HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}
Key Deleted : HKLM\SOFTWARE\{F2E9660B-98AF-42c0-8258-9CDDF07BF95D}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\IObit Apps
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E8C2E2D-7F21-2CF5-0ADB-64935121ECF0}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E957849A-94AC-6F46-4623-C31474E3C170}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6A08B379-76FB-B4CF-0C70-CAFCD3635A77}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F6C44C71-2CFE-8176-3A4D-CBD0DCE5AEFA}
Key Deleted : [x64] HKLM\SOFTWARE\System Optimizer Pro
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\cube-world.en.softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\en.softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\softonic.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\sweetiegames.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.ask.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\www.sweetiegames.com

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17631


*************************

AdwCleaner[R0].txt - [3606 bytes] - [03/03/2015 18:02:19]
AdwCleaner[S0].txt - [3268 bytes] - [03/03/2015 18:05:15]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [3327  bytes] ##########

[essexboy]

Do you have the FRST fixlog please, also have the alerts ceased ?

[REDACTED]

Yes I do, I'm so sorry.

And the alerts have stopped, yet I still have not reinstalled chrome.

[essexboy]

OK you can now re-install Chrome if you wish

Subject to no further problems   

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Remove tools

Download and run Delfix




: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article

I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser and How to unplug Java from the browser)

If you do need to keep Java then download JavaRa
Run the programme and select  Remove Java Runtime.  Uninstall all versions of Java present
Once done then run it again and select Update Java runtime > Download and install Latest version



Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

CryptoPrevent install this programme to lock down and prevent crypto ransome ware



Malwarebytes.

Update and run weekly to keep your system clean

Unchecky

Click on the link above to be taken to Unchecky.com
click the very large Download button.
click Save
Click Open folder
Right click on the Unchecky_setup and choose to Run as Administrator
Once open click the Install button.
Then click on Finish
Unchecky is now installed and will help you keep unwanted check boxes unchecked, this is a fire and forget programme 

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To learn more about how to protect yourself while on the internet read this little guide  Best security practices Keep safe  :wave:

[REDACTED]

I'll do just that.  THANKS SO MUCH!!

The only reason I can see that we might need JAVA is for my daughter to play Minecraft and she also plays ROBLOX online.

I'm hoping that it wasn't anything like this that caused the problem.

Once again, thank you!!
 

Now it's on to my laptop and it's adding ?trackid...to my searches.  Wish me luck, if not, I might see y'all back here.

[essexboy]