GeekPolice Tech TutorialsLog in

 

Pop-up malware with Google Chrome

Share

descriptionRe: Pop-up malware with Google Chrome

more_horiz
That's good, a change of passwords is always good.

Not sure why is says unsupported considering this is XP. Did OTL make an Extras.txt log?

descriptionRe: Pop-up malware with Google Chrome

more_horiz
These are the only 2 txt files in the OTL folder. There were none saved on the desktop.

========== OTL ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{01E04581-4EEE-11D0-BFE9-00AA005B4383} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01E04581-4EEE-11D0-BFE9-00AA005B4383}\ not found.
C:\Documents and Settings\Owner\Local Settings\Application Data\1w15mg3p30e624 moved successfully.
C:\Documents and Settings\All Users\Application Data\1w15mg3p30e624 moved successfully.

OTL by OldTimer - Version 3.2.69.0 log created on 02282014_191932
All processes killed

========== OTL ==========
Error: No service named 196415 was found to stop!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\196415 deleted successfully.
File globalroot\C:\WINDOWS\system32\drivers\196415.sys not found.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope| /E : value set successfully!
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}\ not found.
ADS C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\HonorAutoRunSetting deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: Dummy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 0 bytes

User: LocalService
->Temp folder emptied: 66016 bytes
->Temporary Internet Files folder emptied: 32902 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 173160 bytes
->Temporary Internet Files folder emptied: 52047894 bytes
->Java cache emptied: 12054 bytes
->Flash cache emptied: 45084 bytes

User: New Folder

User: Owner
->Temp folder emptied: 5037301401 bytes
->Temporary Internet Files folder emptied: 239129833 bytes
->Java cache emptied: 64305 bytes
->FireFox cache emptied: 57642799 bytes
->Google Chrome cache emptied: 92430081 bytes
->Apple Safari cache emptied: 0 bytes
->Flash cache emptied: 59693 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 138675748 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 228544804 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 1756665371 bytes

Total Files Cleaned = 7,251.00 mb


OTL by OldTimer - Version 3.2.53.1 log created on 07092012_224616

Files\Folders moved on Reboot...
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E4D.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E53.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E69.tmp moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E6F.tmp moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZJ7KXNSU\c=851_rand=231011703_pv=y_rt=ifr[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EO2B7GMJ\fpi[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EO2B7GMJ\match[1].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\3ddcb5d2-417f-4c82-a727-f6fb90797179[1].htm not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\beacon[1].htm moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\dis[2].htm not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\si[1].htm moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJ3WE5KJ\1016938[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJ3WE5KJ\tpid=CAESEDf5mH4p72vQqT76VgwuFNs&cver=1[1].gif not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BP00XZWX\ads[3].htm moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BP00XZWX\t28907-lg-dvd-player-and-hp-printer-do-not-work-properly-after-virus[1].htm not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\74Z9ZCJZ\pixel[3].gif moved successfully.
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\74Z9ZCJZ\st[1] not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E4D.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E53.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E69.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temp\~DF8E6F.tmp not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZJ7KXNSU\c=851_rand=231011703_pv=y_rt=ifr[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EO2B7GMJ\fpi[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\EO2B7GMJ\match[1].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\3ddcb5d2-417f-4c82-a727-f6fb90797179[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\beacon[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\dis[2].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\E69ZDR2R\si[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJ3WE5KJ\1016938[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\CJ3WE5KJ\tpid=CAESEDf5mH4p72vQqT76VgwuFNs&cver=1[1].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BP00XZWX\ads[3].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\BP00XZWX\t28907-lg-dvd-player-and-hp-printer-do-not-work-properly-after-virus[1].htm not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\74Z9ZCJZ\pixel[3].gif not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\74Z9ZCJZ\st[1] not found!
File\Folder C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\SuggestedSites.dat not found!

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

descriptionRe: Pop-up malware with Google Chrome

more_horiz
The second part of the OTL log is 2yrs old, probably from a previous visit here.

Please download aswMBR from here

  • Save aswMBR.exe to your Desktop
  • Double click aswMBR.exe to run it
  • Click the Scan button to start the scan as illustrated below



Note: Do not take action against any **Rootkit** entries until I have reviewed the log. Often there are false positives

  • Once the scan finishes click Save log to save the log to your Desktop


  • Copy and paste the contents of aswMBR.txt back here for review

descriptionRe: Pop-up malware with Google Chrome

more_horiz
aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-03-03 00:17:24
-----------------------------
00:17:24.025 OS Version: Windows 5.1.2600 Service Pack 3
00:17:24.025 Number of processors: 4 586 0xF0B
00:17:24.025 ComputerName: QUADCORE UserName: Owner
00:17:24.978 Initialize success
00:17:28.634 AVAST engine defs: 14030201
00:17:32.571 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9
00:17:32.571 Disk 0 Vendor: MAXTOR_STM3320620AS 3.AAE Size: 305245MB BusType: 3
00:17:32.728 Disk 0 MBR read successfully
00:17:32.728 Disk 0 MBR scan
00:17:32.728 Disk 0 Windows XP default MBR code
00:17:32.728 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305234 MB offset 63
00:17:32.728 Disk 0 scanning sectors +625121280
00:17:32.759 Disk 0 scanning C:\WINDOWS\system32\drivers
00:17:41.306 Service scanning
00:17:54.243 Modules scanning
00:17:59.337 Disk 0 trace - called modules:
00:17:59.368 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:17:59.368 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b2a79c0]
00:17:59.368 3 CLASSPNP.SYS[ba0f8fd7] -> nt!IofCallDriver -> \Device\00000076[0x8b2ab9e8]
00:17:59.384 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-9[0x8b2aad98]
00:18:00.337 AVAST engine scan C:\WINDOWS
00:18:12.165 AVAST engine scan C:\WINDOWS\system32
00:20:34.759 AVAST engine scan C:\WINDOWS\system32\drivers
00:20:58.071 AVAST engine scan C:\Documents and Settings\Owner
00:22:12.915 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\My Documents\MBR.dat"
00:22:12.915 The log file has been saved successfully to "C:\Documents and Settings\Owner\My Documents\aswMBR14.txt"


descriptionRe: Pop-up malware with Google Chrome

more_horiz
Okay that looks good. How is the machine doing now? compared to when you first noticed any problems?

descriptionRe: Pop-up malware with Google Chrome

more_horiz
It seems to be running fine now...no problems with Chrome. I use Firefox for some things and Chrome for others. My Explorer browser quite working long ago. Trying to hang onto XP as long as i can. Thanks

descriptionRe: Pop-up malware with Google Chrome

more_horiz
Okay, looks good to me too Smile...
Permissions in this forum:
You cannot reply to topics in this forum