Author Topic: Can't remove stubborn malware (Read 3768 times)

REDACTED · « **on:** December 14, 2017, 05:34:02 PM »

Hello,
I posted a couple days ago about click-now-on.me. Avast didn't find/remove it. It seems to be connected to my Chrome browser. When Chrome is running, even when I view different programs, I get popups about every 15-30- minutes. Also, the whole system is noticeably slower. Got a few suggestions from the last post--namely running Malwarebytes adware remover and then regular Malwarebytes. Neither program fixed the issue. I also ran the Farbar Recovery Scan Tool, but it didn't find problems. I'll attach logs below. (Can't seem to find the one from regular Malwarebytes; not sure if it generated a log?)

Pondus · « **Reply #1 on:** December 14, 2017, 06:19:03 PM »

Quote

I also ran the Farbar Recovery Scan Tool, but it didn't find problems.

FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?

Malware/log expert is notified

Michael (alan1998) · « **Reply #2 on:** December 14, 2017, 08:53:37 PM »

Quote from: Pondus on December 14, 2017, 06:19:03 PM

Quote
I also ran the Farbar Recovery Scan Tool, but it didn't find problems.
FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?

Malware/log expert is notified

Not the Malware Expert;

GroupPolicy: Restriction <==== ATTENTION
GroupPolicyUsers\S-1-5-21-959321219-2679882598-892267368-1000\User: Restriction <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION <-- Microsoft's "Malware Removal Tool"

Sass Drake · « **Reply #3 on:** December 14, 2017, 09:00:20 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

After that, opet Chrome Extension Manager and remove:
Honey
InvisibleHand

REDACTED · « **Reply #4 on:** December 14, 2017, 09:11:44 PM »

Can't figure out how to add another file to my post. Here is the Fixlog text:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-12-2017
Ran by David (14-12-2017 15:04:22) Run:1
Running from C:\Users\David\Desktop
Loaded Profiles: David & Jazmyne & Ruby & Jasper & visitor (Available Profiles: David & Jazmyne & Ruby & Jasper & visitor & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="
*****************

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
"Chrome HomePage" => removed successfully
"Chrome StartupUrls" => removed successfully

==== End of Fixlog 15:04:23 ====

DavidR · « **Reply #5 on:** December 14, 2017, 10:05:44 PM »

Use the 'Attachments and other options' (below the reply window) in a new post, as you did before. You don't have to attach it to your first post if that is what you are asking/thinking. That is possibly not wise as it could be missed or confuse.

REDACTED · « **Reply #6 on:** December 14, 2017, 10:31:02 PM »

As I already inserted all the text from the file that was generated, do you still need me to attach said file?

Pondus · « **Reply #7 on:** December 14, 2017, 10:43:14 PM »

Quote from: DF1321 on December 14, 2017, 10:31:02 PM

As I already inserted all the text from the file that was generated, do you still need me to attach said file?

No ... it was just a answer to your "Can't figure out how to add another file to my post."

REDACTED · « **Reply #8 on:** December 14, 2017, 10:46:52 PM »

OK, thanks. Just would really like to get rid of this bug, and if it is indeed causing my system to lag, even more so!

Sass Drake · « **Reply #9 on:** December 15, 2017, 01:46:16 AM »

Have you removed following Chrome extensions?

Honey
InvisibleHand

REDACTED · « **Reply #10 on:** December 15, 2017, 01:52:22 AM »

Yes. I installed them 3 months ago, and never (seemed to) have problems with them. But am happy to do whatever you and others say I need to do to get rid of this horrible popup malady.
df

Sass Drake · « **Reply #11 on:** December 15, 2017, 02:01:27 AM »

Can you make screenshot of that popup? Do you have any other PC/laptop experiencing the same issue?
Disable (not delete) Chrome extensions one by one and test if that popup will appear until you found which extension is responsible. All extensions you have are still on Chrome Web Store and for none in description ads are mentioned.

REDACTED · « **Reply #12 on:** December 15, 2017, 02:06:01 AM »

I will make a screenshot of the popup next time it appears. That might be tomorrow, as I'm ready to retire my computer work for tonight. I don't notice any other apps on chrome that weren't there before this happened.
Thank you very much for your help!!!
df

REDACTED · « **Reply #13 on:** December 15, 2017, 02:09:19 AM »

So as it happens, this popped up just as I pressed send.

Sass Drake · « **Reply #14 on:** December 15, 2017, 02:16:27 AM »

In a meantime, visit this URL in Chrome:

chrome://serviceworker-internals/

It will show you service workers in your browser and use option Unregister for all of them.

Author Topic: Can't remove stubborn malware (Read 3768 times)

REDACTED

Can't remove stubborn malware

Pondus

Re: Can't remove stubborn malware

Michael (alan1998)

Re: Can't remove stubborn malware

Sass Drake

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

DavidR

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

Pondus

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

Sass Drake

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

Sass Drake

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

REDACTED

Re: Can't remove stubborn malware

Sass Drake

Re: Can't remove stubborn malware