Bestdriverstar, simplesitescan, anythicago virus won't go away.

[REDACTED]

Everytime I connect to the internet these things pop up through Avast and say they come from wnavga.exe.

I also have an extension on my Google Chrome called Dealz and I cannot remove that through any of the conventional methods.

I ran Zoek and attached is my notes.

[Eddy]

Please follow the instructions in the sticky at the top of this forum.

[REDACTED]

Nothing I've tried has worked.

In that thread it states to make a new topic in this forum for further assistance.

I will gladly run any scans needed form more info.

[Eddy]

It also says other things. Follow the instructions.

[magna86]

Hello sturmgeist13,

Zoek is not a tool that is supposed to be used without expert oversight. Plus, tool has been run in his autoclean mode.
This is bad because we do not know its previous state, state before cleaning.

Posted log shows hardly previus infected Google Chrome with some mal-extensions remains.

Resseting Google Chrome back to there defaults settings would be a very good thing. Here is how to:
https://support.google.com/chrome/answer/3296214?hl=en

When this is done, download and run Malwarebytes Anti Malware to target and remove known malware. Then, via FRST logs I can target unknown and undetectable malware via scripts.

Follow Eddy's advice for instructions and posting logs.

[REDACTED]

Attached are all my scan logs.

I've tried uninstalling Chrome and it always comes back.

[REDACTED]

I had the same problem. Use : restauration system.

[Eddy]

No, follow the instructions from a malware removal expert.

[magna86]

Hello sturmgeist13

Re-run Zoek tool as you did before ...


• Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
  If you are unsure how to do this please read this or this Instruction.
  
  
• Double click on zoek.exe to run the tool. Please wait while the tool does not start...
  
• Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List;
EmptyCLSID;
C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe;i
CHRDefaults;
bghejdcdajlenjngcknlkkoakmmjfanb;chr
bopakagnckmlgajfccecajhnimjiiedh;chr
eeafbffkmccheohnooflcnppngmobeoe;chr
ellbonkjdmgdghkojcjmomekmjpdffde;chr
fllgpcmelbfhcligbphaaplminjpbiad;chr
flliilndjeohchalpbbcdekjklbdgfkk;chr
hpjocjloojeicikiokfiekcdpojgfefc;chr
jmnkgjdfgnjhmnopgmkcpigenfhgajdj;chr
kfbhfniohjdklgcmbmemnpaimpdaikea;chr
manaobgbdfpjjjnheogfghmjbikhjnlf;chr
oaobejgaaiojgggjojlcpbembaoajbmc;chr
bghejdcdajlenjngcknlkkoakmmjfanb;chr
eeafbffkmccheohnooflcnppngmobeoe;chr
ellbonkjdmgdghkojcjmomekmjpdffde;chr
fllgpcmelbfhcligbphaaplminjpbiad;chr
hpjocjloojeicikiokfiekcdpojgfefc;chr
jmnkgjdfgnjhmnopgmkcpigenfhgajdj;chr
kfbhfniohjdklgcmbmemnpaimpdaikea;chr
oaobejgaaiojgggjojlcpbembaoajbmc;chr
EmptyAllTemp;
C:\Users\Jesse\AppData\Local\Temp.dat;f
C:\ProgramData\DP45977C.lfl;f
bitsadmin /reset /allusers >> %temp%\log.txt;b
FilesRCM;
StartupAll;
Reboot;

• Click on button.
  Please wait until a logreport will open (this can be after reboot)
  
  
• Save notepad to your Desktop and attach here zoek-results.log
  Note: It will also create a log in the C:\ directory named "zoek-results.log"
  

[REDACTED]

Thank you, it did get rid of the website attacks via Avast but the Dealz extension is still on my Chrome.

Attached are the zoek logs.

[magna86]

Zoek log is incomplite. Doesn't matter. Just post me fresh FRST.txt log for re-analysist.

[REDACTED]

Attached is my latest FRST log. Thank you so much for helping.

[magna86]

Hello sturmgeist13,

The best thing would be to reinstall (uninstall first) Google Chrome browser, install fresh copy and then reset settings back to defaults;
https://support.google.com/chrome/answer/3296214?hl=en

In uninstallation process, make shure options "Also delete your browsing data" is ticked.

I see something unusual, so I will tell FRST to act aggressively and remove this. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Code: [Select]

Hosts:
R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]
S5 WinDivert1.1;  <===== ATTENTION Locked Service

Unlock: C:\Windows\wnavga.exe

Reboot:
C:\Windows\wnavga.exe

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.


3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

[REDACTED]

Here is the Fixlog.

The Dealz extension is gone and everything is seemingly back to normal, thanks a ton!

[magna86]

Good. Now please run Malwarebytes, go to Settings and under Detections and Protections check box for Scan for RootKits option;
Return to Dashboard and preform Threat Scan. Post me the resulting log. How to post the MBAM's log:

Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click 'Export' > 'Text file', save notepad to your Desktop as MBAMScan log e.g