Win10 hijack? pop-ups asking to update ....

[dianamite]

I am pasting the original message from the virus section just for background. It was suggested I start a topic here because the other didn't work.... and I am so over closing these pop-ups 40 in 2 hours!!!

....

If I leave the room and come back there could be upwards of 20 of these boxes. I also was getting a notebook pop-up with hd - Notepad in the header.... same message: ATTEMPTING TO UPGRADE TO WINDOWS 10. YOU CAN CONTINUE TO USE YOUR COMPUTER. WINDOWS 7 SUPPORT ENDING.

 

I "think" i got rid of the notepad messaging (20+ same-o) when I did the system restore ... but the text box Alert is still persisting. Not sure if this is virus related or ??-related. It's only been for the last couple of days and started after I did update Java.... ok.... i know!! but I've been sick and perhaps weak headed. Anyway. Java is Gone, so is the "hd - Notepad" pop-up and system restored.... except for this alert and I am hoping someone will have some answer on what this is. Do I need to do the PUP thing again? Which I had done so long ago I have almost no memory of it. Oh, and none of these show up as an actual "file".

 

I have run Avast, SuperAntiSpyware, Malwarebytes... with no success. After shut-down/restart they are still there (well except for the notepad one now... and I"ve done so much I'm not sure exactly HOW I got rid of that one. Unfortunately, I have an appointment to get to and will be back after a few hours.... But I truly appreciate any help that can be given. The file isn't causing any miscief and I'm not clicking the OK... just the X... so I don't think I have, or it has, caused any further miscief. Thanks in advance

[malwarekiller45]

Please do not post a "fix" for anyone's Malware log. Read the WARNING in red letters above this forum.

 

If you are serious about helping, here is a list of Malware Removal classrooms that you can apply to for your education:

 

Malware Removal University

http://forum.malwareremoval.com/viewtopic....fc8118953df37cd

SpywareInfoforum

http://www.spywareinfoforum.com/index.php?...einfoforum.com/

What the Tech Classroom

http://forums.whatthetech.com/What_the_Tec...oom_t80368.html

BleepingComputer

http://www.bleepingcomputer.com/forums/topic86678.html

 

Posting a proposed 'fix' without being a qualified Malware Tech helper... will get your post deleted.

Edited February 18, 2017 by Juliet

[Juliet]

@dianamite

 

Please back up your registry!

 

Backup the Registry:

Credit: Dakeyras

 

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

• Please download the installer for Registry Backup from here or here and save to your desktop.
• Right-click on tweaking.com_registry_backup_setup.exe and select Run as Administrator >> Follow the prompts for a default installation
• Ensure the option Open "Tweaking.com - Registry Backup" When Install Completes is selected >> Next > >> Finish
• Once the GUI(graphical user interface) has appeared/loaded:-

• Click on Backup Now >> once the process is complete the below will be displayed in the GUI:-

• Close Tweaking.com - Registry Backup

Note: There will now be a folder at the root of the Hard-Drive named C:\RegBackup, do not delete this as it is the actual backup just created.

 

A tutorial for Registry Backup explaining the various features be viewed HERE

 

 

``````````````````````````````````````````````````````

 

Farbar Recovery Scan Tool (FRST) Scan

• Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
• Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
• Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
• Click Yes to the disclaimer.
• Ensure the Addition.txt box is checked.
• Click the Scan button and let the programme run.
• Upon completion, click OK, then OK on the Addition.txt pop up screen.
• Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.

   

[dianamite]

Thank you!!
Quick question....
I have run Tweaking and did the backup. The result said Errors! 15/17 Registry files backed up.
the following two files showed in black hi-lite in the body of the program:

C:\Users\TEMP.dian_a_mite-PC\ntuser.dat (size: 256.00 KB)
C:\Users\TEMP.dian_a_mite-PC\AppData\Local\Microsoft\Windows\UsrClass.dat (size: 256 KB)

I just want to be sure the errors are ok to ignore . . . ? before I go to the next step.

[Juliet]

We can continue.

[dianamite]

Have done that and have the 2 files ready to post, but I forgot how to do that in a scroll box .....

 

------

ALSO...This is a pic of the alert boxes... the smaller one on the right is current. I was able to remove (?) the larger one (at least it doesn't show any longer)

 

------

I am currently trying to find a way to post the text....

Edited February 18, 2017 by dianamite

[Juliet]

well one went through before you edited.

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-02-2017

and I have started a fix with that one.

 

if you can, please post

Addition.txt

[dianamite]

trying again... renaming it

It is Notepad... if it still doesn't post, that may be why?

 

[dianamite]

an attachment is not showing for me... is it there for you?

[Juliet]

no need to rename it.

[Juliet]

mine worked but wasn't a picture.

Edited February 18, 2017 by Juliet

[dianamite]

weird... I didn't click to upload a picture.
I clicked to "attach file"

AND I also did the < > to add a text block, but apparently my post did not go thru?????

This is all very strange

Edited February 18, 2017 by dianamite

[Juliet]

your getting there

 

after you have it, look to the right to add

[dianamite]

Now getting error there: upload skipped (Error IO) ... for file uploading....I did not see "add" once I clicked to upload

 

 

tried the < > for text scroll box and it sits for several several minutes and says "saving post" on the bottom right. after I click "post"

 

 

12:28 still "savin" .. so it has been at least 20 minutes

 

12:47 ... refreshed page to get rid of it... it was still just trying to Save the post

Edited February 18, 2017 by dianamite

[dianamite]

still the error ... and the only "add" I see is at the bottom: "add reply"

 

[dianamite]

I may have (hopefully) found where the trigger core-file was located.... OR
It was just the place it was scheduled to launch from .... I may need to locate the core FILE, but so far, no pop-ups

have taken place since deleting the tasks.
there were 2 groupings of "tasks, files" that were deleted...
Thank you for your help. I hope this ends it, but will let you know.

 

 

Edited February 18, 2017 by dianamite

[Juliet]

Let's try this.

 

See if you can Locate the Addition.txt

 

upload a large file, try http://www.sendspace.com/

• Click on Browse button and navigate to Addition.txt file you want to upload.
• Click on Upload button.
• Click on FIRST Copy Link button and paste the link in your next reply.

   

[dianamite]

Here goes...

https://www.sendspace.com/file/dq4oxf

[Juliet]

I sent images through PM, if you like I can post them here to, to show how to attach.

[dianamite]

I know how to attach images.... I replied to you in a PM.... it is just not letting me do images or <> text boxes at all.

If you scroll back, you'll see I did images here. I will try to do the addition.txt file into a post on the folding forum. If that works I will PM you and let you know what post.....

[Juliet]

OK, sendspace worked.

 

Now, I have a fix ready and with fingers crossed....we'll git er done!

 

Running from E:\Desktop

Your going to have to locate this script in the same location. E:\Desktop or move it to C:\Desktop

 

~~~~~~~~~~~~`

 

Please go to your E:\Desktop, locate Farbar Recovery Scan Tool, right click and select CUT

Go to an open spot on your desktop, right click and select PASTE

You should now have Farbar Recovery Scan Tool on your desktop.

 

 

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Or use this method Press the windows key + r on your keyboard at the same time. This will open the RUN BOX.

Type Notepad and and click the OK key.

 

To do this highlight the contents of the box and right click on it and select copy.

Paste this into the open notepad. save it to the Desktop as fixlist.txt

NOTE. It's important that both files, FRST/FRST64 and fixlist.txt are in the same location or the fix will not work.

It needs to be saved Next to the "Farbar Recovery Scan Tool" (If asked to overwrite existing one please allow)

 

 

 

 

start

CreateRestorePoint:

CloseProcesses:

ShellIconOverlayIdentifiers: [GDriveSharedOverlay] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44} => -> No File

CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

nternet Explorer: SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =

Toolbar: HKLM - avast! Online Security - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File

Toolbar: HKLM - No Name - {CC1A175A-E45B-41ED-A30C-C9B1D7A0C02F} - No File

HR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\ppGoogleNaClPluginChrome.dll => No File

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\pdf.dll => No File

CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.103\gcswf32.dll => No File

CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll => No File

CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <not found>

R3 ALSysIO; \??\C:\Users\DIAN_A~1\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION

R3 WinRing0_1_2_0; \??\C:\Users\dian_a_mite\AppData\Local\Temp\tmp7BE3.tmp [X] <==== ATTENTION

Task: {031DAE10-B34F-4434-9DF1-B206AF81E2FE} - System32\Tasks\p => C:\Users\Public\Downloads\hi.bat <==== ATTENTION

Task: {10A6FE5F-5FBA-4EB0-8BBB-23988EEF815F} - System32\Tasks\p2 => C:\Users\Public\Downloads\hi.bat <==== ATTENTION

Task: {41CAB8F2-1B2A-4443-9459-12E257A98F41} - System32\Tasks\p3 => C:\Users\Public\Downloads\hi.bat <==== ATTENTION

Task: {4A2750B9-2E6F-4DA0-AB03-38BDBC93B783} - \Microsoft\Windows\Setup\GWXTriggers\Logon -> No File <==== ATTENTION

Task: {5AA99CAA-757B-408C-91AD-56A27C6777A2} - System32\Tasks\b3 => C:\Users\Public\Downloads\bleek.bat <==== ATTENTION

Task: {6F75BF9A-69D6-432C-A8CF-E6B86D14628C} - System32\Tasks\b2 => C:\Users\Public\Downloads\bleek.bat <==== ATTENTION

Task: {8F34A13D-DA14-46C1-BDA9-842718C8EE5C} - \Microsoft\Windows\Setup\GWXTriggers\OutOfIdle -> No File <==== ATTENTION

Task: {DDD266AE-B966-40D8-98C0-4C2D1BA4CFF1} - System32\Tasks\b => C:\Users\Public\Downloads\bleek.bat <==== ATTENTION

EmptyTemp:

Hosts:

End

Open FRST/FRST64 and press the > Fix < button just once and wait.

If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

AdwCleaner

• Please download AdwCleaner and save the file to your Desktop.

  In order to use AdwCleaner, you have to agree the Eula:

• Right-click AdwCleaner.exe and select Run as administrator to run the programme.
• Follow the prompts.
• Click Scan.
• Upon completion, click Logfile. A log (AdwCleaner[s1].txt) will open. Briefly check the log for anything you know to be legitimate.
• Return to AdwCleaner. Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab.
• Click Clean.
• Follow the prompts and allow your computer to reboot.
• After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this programme. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[C1].txt.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Please download Junkware Removal Tool

or from here http://downloads.malwarebytes.org/file/jrt

to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Post the contents of JRT.txt into your next message.

~~

please post

Fixlog.txt

AdwCleaner[C1].txt

JRT.txt

[Juliet]

 

But I think i feel safe in closing this one out. Appreciate your help immensely!!

 

We're glad to help

[Juliet]

Glad we could help.
Since this issue appears resolved ... this Topic is closed.

[caintry_boy]

:clap: