Non-stop popups with Chrome

[paulbasaur]

Have some bad malware on my computer. ONlys eems to affect Google Chrome now, not Firefox. Popups informing me my computer is infected and to call some number..pcfixin.info or some sketch web page. very frustrating. I've tried removing all extensions to Chrome but the problem keeps happening. Everyone here has been very helpful in the past any tips would be greatly suggested.

[Jacee]

I'm going to move your topic to "Have I Been Hijacked?" Just click on the link I leave in this forum

 

Next, download AdwCleaner by Xplode and save to your Desktop.

 

Step 1.

• Double click on AdwCleaner.exe to run the tool.

  Vista/Windows 7/8 users right-click and select Run As Administrator

.

• Click on the Scan button.
• AdwCleaner will begin...be patient as the scan may take some time to complete.
• After the scan has finished, click on the Report button...a logfile (AdwCleaner[R#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
• The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
• Copy and paste the contents of that logfile in your next reply.
• A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
• Step 2.

  Using AdwCleaner v3: Scan & Clean:

   

  This time click on the Clean button.

  Press OK when asked to close all programs and follow the onscreen prompts.

  Press OK again to allow AdwCleaner to restart the computer and complete the removal process.

  After rebooting, a logfile report (AdwCleaner[s#].txt) will open automatically (where the largest value of # represents the most recent report).

  Copy and paste the contents of that logfile in your next reply.

  A copy of that logfile will also be saved in the C:\AdwCleaner folder

   

  ******Post both .txt logs

[paulbasaur]

# AdwCleaner v4.112 - Logfile created 21/03/2015 at 15:19:27
# Updated 09/03/2015 by Xplode
# Database : 2015-03-21.2 [server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : Paul - PAUL-PC
# Running from : C:\Users\Paul\Desktop\AdwCleaner(1).exe
# Option : Cleaning

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AVG Security Toolbar
Folder Deleted : C:\Users\Paul\Documents\Updater
Folder Deleted : C:\Users\Paul\AppData\Roaming\Mozilla\Firefox\Profiles\kbryytfl.default\Extensions\5LCy@N.com
File Deleted : C:\windows\DtcInstall.log
File Deleted : C:\windows\TSSysprep.log
File Deleted : C:\Users\Paul\AppData\Local\Temp\Uninstall.exe
File Deleted : C:\Program Files (x86)\Mozilla Firefox\browser\searchplugins\wtu-secure-search.xml
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-devtools_devtools_0.localstorage-journal
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage
File Deleted : C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_pafkbggdmjlpgkdkcbjmhmfcdpncadgh_0.localstorage-journal

***** [ Scheduled tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}
Key Deleted : HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

***** [ Web browsers ] *****

-\\ Internet Explorer v11.0.9600.17689


-\\ Mozilla Firefox v36.0.3 (x86 en-US)

[kbryytfl.default\prefs.js] - Line Deleted : user_pref("browser.search.hiddenOneOffs", "Yahoo,Bing,Amazon.com,AVG Secure Search,DuckDuckGo,eBay,Twitter,Wikipedia (en)");
[kbryytfl.default\prefs.js] - Line Deleted : user_pref("extensions.CSE9JJqAw1spBzZO.scode", "(function(){try{if(window.self.location.href.indexOf(\"pjwGpdsGqdw6rda7rTa6rdr8pn\")>-1){return;}}catch(e){}try{var d=[[\"acebook\",\"flybrain.com\",\"w[...]

-\\ Google Chrome v41.0.2272.101

[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Paul\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [search Provider] : hxxp://websearch.look-for-it.info/?l=1&q={searchTerms}&pid=2921&r=2015/02/20&hid=9128224170062070359&lg=EN&cc=US&unqvl=82

*************************

AdwCleaner[R0].txt - [8158 bytes] - [09/03/2015 07:45:04]
AdwCleaner[R1].txt - [8217 bytes] - [09/03/2015 07:47:10]
AdwCleaner[R2].txt - [3258 bytes] - [21/03/2015 15:14:33]
AdwCleaner[s0].txt - [8195 bytes] - [09/03/2015 07:49:06]
AdwCleaner[s1].txt - [3239 bytes] - [21/03/2015 15:19:27]

########## EOF - C:\AdwCleaner\AdwCleaner[s1].txt - [3298 bytes] ##########

Shoot I think I saved over the first log. This is the second after cleaning my apologies. Thank you for your help what should I do next?

[Jacee]

Download TFC by Old Timer http://www.geekstogo.com/forum/TFC-Temp-File-Cleaner-OldTimer-file187.html and save it to your desktop.

 

Save any unsaved work. TFC will close ALL open programs including your browser! This will also eliminate all desktop shortcuts, so just be aware!

 

Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.

Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! Manually reboot the machine to ensure a complete clean.

 

Tell me if you are still getting the pop-ups.

[paulbasaur]

Hello again. I've been using firefox this whole time. Just tried to use Chrome after running TFC and restarting....same problems. Click on a link from the local paper website and another window opens asking about refinancing a mortgage.. I still need help what should I do next? Thank you for the help you've already given me..

[Jacee]

See if these instructions help: https://support.google.com/chromebook/answer/183083?hl=en

[paulbasaur]

Nope. Getting redirects, popups. Only in Chrome. In Extensions, this "Browser Adblocker" keeps reinstalling itself.

[Jacee]

Please download (free version) Malwarebytes' Anti-Malware to your desktop

http://www.malwarebytes.org/products/malwarebytes_free/

* Double-click mbam-setup.exe and follow the prompts to install the program.Right click to run as Administrator, using Windows 7 or Vista.

* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select Perform full scan, then click Scan.

* When the scan is complete, click OK, then Show Results to view the results.

* Be sure that everything is checked, and click Remove Selected.

* When completed, a log will open in Notepad. Please save it to a convenient location. Copy and Paste that log into your next reply.

[paulbasaur]

Here it is:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 3/28/2015
Scan Time: 8:15:55 PM
Logfile: malwarebytes log.txt
Administrator: Yes

Version: 2.01.4.1018
Malware Database: v2015.03.28.08
Rootkit Database: v2015.03.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Paul

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 354042
Time Elapsed: 4 min, 50 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.Multiplug, HKU\S-1-5-21-3737205948-2555619836-1812066780-1000_Classes\TYPELIB\{157B1AA6-3E5C-404A-9118-C1D91F537040}, Quarantined, [8563b99194f6c571107cc16909fa48b8],
PUP.Optional.Multiplug, HKU\S-1-5-21-3737205948-2555619836-1812066780-1000_Classes\INTERFACE\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}, Quarantined, [8563b99194f6c571107cc16909fa48b8],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 2
PUP.Optional.Multiplug, C:\Program Files (x86)\SystemText\SystemText.dll, Quarantined, [29bf3119d7b3bb7b848064cbcb37a957],
PUP.Optional.OutBrowse, C:\Users\Paul\Downloads\Installation.exe, Quarantined, [70788dbd7c0e60d607fc84c0a75b29d7],

Physical Sectors: 0
(No malicious items detected)


(end)

[Jacee]

I'd like you to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.

  ESET OnlineScan

• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

Tell me if that little rascal is still there.

[paulbasaur]

C:\AdwCleaner\Quarantine\C\Program Files (x86)\ChEapMe\0SQVcmM3BzTz9V.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\ChEapMe\0SQVcmM3BzTz9V.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CheapMei\2YMFBGMmoo2CLJ.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\CheapMei\2YMFBGMmoo2CLJ.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAverExTTensionn\LKEWQ2r9cj4uoI.dll.vir a variant of Win32/Adware.MultiPlug.FL application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\SAverExTTensionn\LKEWQ2r9cj4uoI.x64.dll.vir a variant of Win64/Adware.MultiPlug.G application

 

Yes, the little rascal is in there....what do we do!!

[Jacee]

Read and follow instructions for browsers here: http://en.kioskea.net/faq/2528-how-to-disable-add-ons-extensions-in-your-browser

 

Next:

Copy and paste these lines in Note pad.

 

@Echo on

pushd\windows\system32\drivers\etc

attrib -h -s -r hosts

echo 127.0.0.1 localhost>HOSTS

attrib +r +h +s hosts

popd

ipconfig /release

ipconfig /renew

ipconfig /flushdns

netsh winsock reset all

netsh int ip reset all

shutdown -r -t 1

del %0

 

Save as flush.bat to your desktop.

Windows 7... right click the .bat file and choose to run as Administrator. Your computer will reboot itself.

 

Tell me what's happening now.

[paulbasaur]

The script ran, computer rebooted. No problems with Google Chrome so far...So I guess nothing is happening now which is a good thing. Just worried that the chrome extension will rear its head again as in the past. Thanks for your help and patience it is appreciated. Anything else I need to do?

[Jacee]

Set a 'clean' restore point

 

Keep TFC and Malwarebytes.... use them!

 

In the upper right hand corner of IE ... click on the 'gear' Icon and click Safety, then turn on smart Screen.

 

Keep all programs updated.