Other > Viruses and worms

Can't remove stubborn malware

(1/4) > >>

REDACTED:
Hello,
I posted a couple days ago about click-now-on.me. Avast didn't find/remove it. It seems to be connected to my Chrome browser. When Chrome is running, even when I view different programs, I get popups about every 15-30- minutes. Also, the whole system is noticeably slower. Got a few suggestions from the last post--namely running Malwarebytes adware remover and then regular Malwarebytes. Neither program fixed the issue. I also ran the Farbar Recovery Scan Tool, but it didn't find problems. I'll attach logs below. (Can't seem to find the one from regular Malwarebytes; not sure if it generated a log?)

Pondus:

--- Quote ---I also ran the Farbar Recovery Scan Tool, but it didn't find problems.
--- End quote ---
FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?

Malware/log expert is notified

 

Michael (alan1998):

--- Quote from: Pondus on December 14, 2017, 06:19:03 PM ---
--- Quote ---I also ran the Farbar Recovery Scan Tool, but it didn't find problems.
--- End quote ---
FRST is a diagnostic tool and does not detect anything, it depends if you can read the log?

Malware/log expert is notified

--- End quote ---

Not the Malware Expert;

GroupPolicy: Restriction <==== ATTENTION
GroupPolicyUsers\S-1-5-21-959321219-2679882598-892267368-1000\User: Restriction <==== ATTENTION
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION <-- Microsoft's "Malware Removal Tool"

Sass Drake:

* Open Notepad (click Start button -> type notepad.exe -> press Enter)
* Copy text from code block below and paste it into Notepad
--- Code: ---HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="

--- End code ---

* Go to File -> Save As
* Make sure that  UTF-8 is selected as Encoding (left side of Save button)
* Save it as fixlist.txt on Desktop
* Open again FRST and click on button Fix
* Wait until FRST finishes
* fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.


After that, opet Chrome Extension Manager and remove:
Honey
InvisibleHand

REDACTED:
Can't figure out how to add another file to my post. Here is the Fixlog text:

Fix result of Farbar Recovery Scan Tool (x64) Version: 13-12-2017
Ran by David (14-12-2017 15:04:22) Run:1
Running from C:\Users\David\Desktop
Loaded Profiles: David & Jazmyne & Ruby & Jasper & visitor (Available Profiles: David & Jazmyne & Ruby & Jasper & visitor & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION
CHR HomePage: Profile 1 -> hxxp://astromenda.com/?f=1&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&uref=308&ir=
CHR StartupUrls: Profile 1 -> "hxxp://astromenda.com/?f=7&a=ast_dnldstr_14_36_ch&cd=2XzuyEtN2Y1L1Qzu0Fzz0B0CtCtByByEyE0BtBtDzzyEyEyDtN0D0Tzu0SzyyByBtN1L2XzutAtFtBtFtCtFtCtN1L1CzutCyEtBzytDyD1V1TtN1L1G1B1V1N2Y1L1Qzu2SyEtBtCyCtA0C0DzztG0EzytAyDtGtBtAtDtAtGyCyB0DtBtGtD0BzztB0FtAyE0F0A0A0F0E2QtN1M1F1B2Z1V1N2Y1L1Qzu2StC0E0AtD0ByD0F0DtGzy0AtC0BtGyEtAyD0FtG0Azy0D0FtGtC0F0EtD0C0E0EzytBtAtDtA2Q&cr=1752519849&ir="
*****************

HKLM Group Policy restriction on software: %systemroot%\system32\mrt.exe <==== ATTENTION => restored successfully
"Chrome HomePage" => removed successfully
"Chrome StartupUrls" => removed successfully

==== End of Fixlog 15:04:23 ====

Navigation

[0] Message Index

[#] Next page

Go to full version