Jump to content

Change Mode

Non-stop popups with Chrome


Recommended Posts

Have some bad malware on my computer. ONlys eems to affect Google Chrome now, not Firefox. Popups informing me my computer is infected and to call some number..pcfixin.info or some sketch web page. very frustrating. I've tried removing all extensions to Chrome but the problem keeps happening. Everyone here has been very helpful in the past any tips would be greatly suggested. :)

Link to comment
Share on other sites

I'm going to move your topic to "Have I Been Hijacked?" Just click on the link I leave in this forum :)


Next, download AdwCleaner by Xplode and save to your Desktop.


Step 1.

  • Double click on AdwCleaner.exe to run the tool.

    Vista/Windows 7/8 users right-click and select Run As Administrator

  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
  • Step 2.

    Using AdwCleaner v3: Scan & Clean:


    This time click on the Clean button.

    Press OK when asked to close all programs and follow the onscreen prompts.

    Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

    After rebooting, a logfile report (AdwCleaner[s#].txt) will open automatically (where the largest value of # represents the most recent report).

    Copy and paste the contents of that logfile in your next reply.

    A copy of that logfile will also be saved in the C:\AdwCleaner folder


    ******Post both .txt logs

Link to comment
Share on other sites

# AdwCleaner v4.112 - Logfile created 21/03/2015 at 15:19:27
# Updated 09/03/2015 by Xplode
# Database : 2015-03-21.2 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Paul - PAUL-PC
# Running from : C:\Users\Paul\Desktop\AdwCleaner(1).exe
# Option : Cleaning

***** [ Services ] *****

***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Users\Paul\Documents\Updater
Folder Deleted : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\kbryytfl.default\Extensions\5LCy@N.com
File Deleted : C:\windows\DtcInstall.log
File Deleted : C:\windows\TSSysprep.log
File Deleted : C:\Users\Paul\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage-journal
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal

***** [ Scheduled tasks ] *****

***** [ Shortcuts ] *****

***** [ Registry ] *****

Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689

-\\ Mozilla Firefox v36.0.3 (x86 en-US)

[kbryytfl.default\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,AVG Secure Search,DuckDuckGo,eBay,Twitter,Wikipedia (en)");
[kbryytfl.default\prefs.js] - Line Deleted : user_pref("extensions.CSE9JJqAw1spBzZO.scode", "(function(){try{if(window.self.location.href.indexOf(\"pjwGpdsGqdw6rda7rTa6rdr8pn\")>-1){return;}}catch(e){}try{var d=[[\"acebook\",\"flybrain.com\",\"w[...]

-\\ Google Chrome v41.0.2272.101

[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=2921&r=2015/02/20&hid=9128224170062070359&lg=EN&cc=US&unqvl=82


AdwCleaner[R0].txt - [8158 bytes] - [09/03/2015 07:45:04]
AdwCleaner[R1].txt - [8217 bytes] - [09/03/2015 07:47:10]
AdwCleaner[R2].txt - [3258 bytes] - [21/03/2015 15:14:33]
AdwCleaner[s0].txt - [8195 bytes] - [09/03/2015 07:49:06]
AdwCleaner[s1].txt - [3239 bytes] - [21/03/2015 15:19:27]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [3298 bytes] ##########

Shoot I think I saved over the first log. This is the second after cleaning my apologies. Thank you for your help what should I do next?

Link to comment
Share on other sites

Download TFC by Old Timer http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html and save it to your desktop.


Save any unsaved work. TFC will close ALL open programs including your browser! This will also eliminate all desktop shortcuts, so just be aware!


Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.

Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! Manually reboot the machine to ensure a complete clean.


Tell me if you are still getting the pop-ups.

Link to comment
Share on other sites

Hello again. I've been using firefox this whole time. Just tried to use Chrome after running TFC and restarting....same problems. Click on a link from the local paper website and another window opens asking about refinancing a mortgage.. I still need help what should I do next? Thank you for the help you've already given me..

Link to comment
Share on other sites

Please download (free version) Malwarebytes' Anti-Malware to your desktop


* Double-click mbam-setup.exe and follow the prompts to install the program.Right click to run as Administrator, using Windows 7 or Vista.

* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform full scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

Link to comment
Share on other sites

Here it is:


Malwarebytes Anti-Malware

Scan Date: 3/28/2015
Scan Time: 8:15:55 PM
Logfile: malwarebytes log.txt
Administrator: Yes

Malware Database: v2015.03.28.08
Rootkit Database: v2015.03.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Paul

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354042
Time Elapsed: 4 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Multiplug, HKU\S-1-5-21-3737205948-2555619836-1812066780-1000_Classes\TYPELIB\{157B1AA6-3E5C-404A-9118-C1D91F537040}, Quarantined, [8563b99194f6c571107cc16909fa48b8],
PUP.Optional.Multiplug, HKU\S-1-5-21-3737205948-2555619836-1812066780-1000_Classes\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}, Quarantined, [8563b99194f6c571107cc16909fa48b8],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Multiplug, C:\Program Files (x86)\SystemText\SystemText.dll, Quarantined, [29bf3119d7b3bb7b848064cbcb37a957],
PUP.Optional.OutBrowse, C:\Users\Paul\Downloads\Installation.exe, Quarantined, [70788dbd7c0e60d607fc84c0a75b29d7],

Physical Sectors: 0
(No malicious items detected)


Link to comment
Share on other sites

I'd like you to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.

    ESET OnlineScan

  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png
Tell me if that little rascal is still there.
Link to comment
Share on other sites

C:\AdwCleaner\Quarantine\C\Program Files (x86)\ChEapMe\0SQVcmM3BzTz9V.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ChEapMe\0SQVcmM3BzTz9V.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CheapMei\2YMFBGMmoo2CLJ.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CheapMei\2YMFBGMmoo2CLJ.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAverExTTensionn\LKEWQ2r9cj4uoI.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAverExTTensionn\LKEWQ2r9cj4uoI.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application


Yes, the little rascal is in there....what do we do!!

Link to comment
Share on other sites

Read and follow instructions for browsers here: http://en.kioskea.net/faq/2528-how-to-disable-add-ons-extensions-in-your-browser



Copy and paste these lines in Note pad.


@Echo on


attrib -h -s -r hosts

echo localhost>HOSTS

attrib +r +h +s hosts


ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0


Save as flush.bat to your desktop.

Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.


Tell me what's happening now.

Link to comment
Share on other sites

The script ran, computer rebooted. No problems with Google Chrome so far...So I guess nothing is happening now which is a good thing. Just worried that the chrome extension will rear its head again as in the past. Thanks for your help and patience it is appreciated. Anything else I need to do?

Link to comment
Share on other sites

Set a 'clean' restore point


Keep TFC and Malwarebytes.... use them!


In the upper right hand corner of IE ... click on the 'gear' Icon and click Safety, then turn on smart Screen.


Keep all programs updated.

Link to comment
Share on other sites


  • Create New...