Jump to content

Need help with Chrome browser that is has unwanted hyperlinks to Search Assist popups.


Recommended Posts

I use IE 11 as my default browser.  A couple of days ago I noticed it had been infected with a new bar across the top of webpages inviting me to take surveys and such plus many words were now hyperlinked to ads or search engines.  

 

I ran Norton scan - nothing.  Next, I ran Norton Power Eraser 2013; it found a file it told me to I remove.  That did not help.

 

Next, I ran Malwarebytes, it found 16 instances that I removed.  

 

Next, I cleared out my temporary files with TFC.

 

There were still problems with IE11. 

 

Next, I ran Rkill and got the following report (I took no recommended actions): 

 

Rkill 2.6.2 by Lawrence Abrams (Grinler)
Copyright 2008-2013 BleepingComputer.com
More Information about Rkill can be found at this link:
 
Program started at: 10/22/2013 10:11:50 PM in x64 mode.
Windows Version: Windows 7 Professional Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * Explorer Policy Removed:  NoActiveDesktopChanges [HKLM]
 
Backup Registry file created at:
 C:\Users\Leroy\Desktop\rkill\rkill-10-22-2013-10-11-56.reg
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
  * HKLM\Software\Classes\.exe\shell found and deleted!
 
 
Performing miscellaneous checks:
 
 * Windows Defender Disabled
 
   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001
 
Checking Windows Service Integrity: 
 
 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 10/22/2013 10:12:11 PM
Execution time: 0 hours(s), 0 minute(s), and 21 seconds(s)
 
 
I also ran SystemLook and got the following report --
 
SystemLook 30.07.11 by jpshortstuff
Log created at 22:48 on 22/10/2013 by Leroy
Administrator - Elevation successful
 
No Context: filefind
 
No Context: *SearchAssist*
 
========== folderfind ==========
 
Searching for "*SearchAssist*"
 
I reset IE11, Chrome and Mozilla to their default settings.
 
IE11 appears to have been cleaned up. However, Chrome remains full of unwanted hyperlinks with Search Assist popups.
 
Any suggestions on how to proceed would be greatly appreciated. 
 

 

Link to post
Share on other sites

Hello and post-32477-1261866970.gif

 

P2P/Piracy Warning:

 

   

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.

Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.

If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Download Junkware Removal tool from this link:

 

http://www.bleepingcomputer.com/download/junkware-removal-tool/

 

Save to your desktop.

 

  • Shut down your Security Protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator. Follow prompts as they come.
  • The tool will open and start scanning your system. (Press any key when prompted to continue)
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post JRT.txt to your next message.

 

Next,

 

Download AdwCleaner by Xplode from here: http://www.bleepingcomputer.com/download/adwcleaner/ and save to your Desktop.

 

  • Double click on AdwCleaner.exe to run the tool.
  • Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Uncheck any elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review.
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted (if necessary):
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.

 

Post both logs, any improvement?

 

Kevin

Link to post
Share on other sites

Thank you for the quick response.  Unfortunately, the hyperlinked words still appear.  (And, btw, I misstated, they also appear in IE11, just that it takes so long to load, I had not noticed they had remained after my earlier attempts.

I ran both the Junkware Removal tool and AdwCleaner.  Each removed things but neither was enough to cure the infection.

Oddly, I am unable to paste the logs into this page. I will attach them instead. 

Thanks again

JRT.txt.txt

AdwCleanerS0.txt

Link to post
Share on other sites

Download Farbar Recovery Scan Tool and save it to your desktop.

 

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Link to post
Share on other sites

Start internet explorer in safe mode, select start, into the search box either type or copy/paste iexplore -extoff does IE still give the issues? if so run the following:

 

1.Download Malwarebytes Anti-Rootkit from this link:

 

 http://www.malwarebytes.org/products/mbar/

 

2. Unzip the File to a convenient location. (Recommend the Desktop)

3. Open the folder where the contents were unzipped to run mbar.exe

 

Image1.png

 

4. Double-click on the mbar.exe file, you may receive a User Account Control prompt asking if you are sure you wish to allow the program to run. Please allow the program to run and MBAR will now start to install any necessary drivers that are required for the program to operate correctly. If a rootkit is interfering with the installation of the drivers you will see a message that states that the DDA driver was not installed and that you should reboot your computer to install it. You will see this image:

 

mbarwm.png

 

5. If you receive this message, please click on the Yes button and Malwarebytes Anti-Rootkit will now restart your computer. Once the computer is rebooted and you login, MBAR will automatically start and you will now be at the start screen. (If no Rootkit warning you will go from step 4 to 6.)

 

6. The following image opens, select Next.

 

Image2.png

 

7. The following image opens, select Update

 

Image3.png

 

8. When the update completes select Next.

 

Image4.png

 

9. In the following window ensure "Targets" are ticked. Then select "Scan"

 

Image5.png

 

10. If an infection is found select the "Cleanup Button" to remove threats, Reboot if prompted. Wait while the system shuts down and the cleanup process is performed.

 

MBAntiRKcleanA.png

 

11. Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click "Cleanup Button" once more and repeat the process.

12. If no threats were found you will see the following image, Select Exit:

 

Image6.png

 

13. Verify that your system is now running normally, making sure that the following items are functional:

 


  •      
  • Internet access
         
  • Windows Update
         
  • Windows Firewall

 

14.  If there are additional problems with your system, such as any of those listed above or other system issues, then run the 'fixdamage' tool included within Malwarebytes Anti-Rootkit folder.

 

15. Select "Y" from your Keyboard, tap Enter.

 

16. The fix will be applied, select any key to Exit.

 

17. Let me know how your system now responds. Copy and paste the two following logs from the mbar folder:

 

System - log

Mbar - log   Date and time of scan will also be shown

 

Thanks,

 

Kevin...

Link to post
Share on other sites

When I start Internet Explorer 11 in safe mode, that is, iexplore -extoff, IE no longer presents blue hyperlinked text with popup ads or a survey banner across the top of the page.

BTW, I have another problem that might relevant. I had forgotten to mention it because I have had it disabled for so long. Something seeks my floppy disk bay frequently. I disabled the floppy drive in device manager to silence it.

Link to post
Share on other sites

As IE runs ok with all addons and extensions disabled it proves a point, I guess it would be safe to assume the same could be said for Chrome. Run the following:

 

Download Zoek.zip from here http://www.hijackthis.nl/smeenk/220813/zoek.zip and save that zip file to your Desktop.

 

Double click zip file and extract to your  Desktop:

 

 

Zoekd.jpg

 

 

you will now have 3 versions of the tool on the Desktop:

 

 

Zoeke.jpg

 

Before running Zoek make sure all Browsers are closed and Security is turned OFF. Check at the following link:  http://www.techsupportforum.com/forums/f50/how-to-disable-your-security-applications-490111.html

 

Double click on each in turn until one version of Zoek will run (accept UAC) The following window will open:

 

 

Zoekb.jpg

 

 

Copy and paste the following script from the code box and paste into the field.

 

 

emptyclsid;firefoxlook;FFdefaultsChromelook;CHRdefaults;autoclean;iedefaults;filesrcm;startupall;silentrunners;

 

 

Select the "Run Script" tab. The following window will open:

 

 

 

Zoekc.jpg

 

 

 

Please be patient and do not use the PC when the scan is in progress.

 

When complete you maybe asked to re-boot your PC, if so please do

 

Zoekf.jpg

 

Post the produced log in your next reply….. After you save the log re-boot and check if IE and Chrome are ok....

Link to post
Share on other sites

Zoek will reset IE and Chrome back to Default settings, I would be interested to see if that will help us. Unfortunately Chrome does not have a safe mode option. The only way is to Delete its Default folder or rename it, Start Chrome and a new Default folder would be created with no previous settings..

 

Folder is here: C:\User > Username > Appdata> Local > Google > Chrome > User Data > Default...

 

It would also be necessary to show "Hidden files and folders" to see that ...

Link to post
Share on other sites

Zoek completed.

 

I opened http://home.ancestry.com/  in IE11.  The site has had a survey banner across the top and hyperlinked text.  I DO NOT see any now.  I also opened it in Version 31.0.1650.26 beta-m.  No banner of hyperlinked text in Chrome either.  The Browsers are working properly. 

How should I proceed, is it OK to re-enable the extensions and add ins?  Or, might the problem be with one of them?

Pasting the  Zoek log file exceeds the post length limit.  I will attach it instead..

zoek-results.log

Link to post
Share on other sites

Before we clean up/remove tools etc best to run an online AV scan to ensure there are no remnants of any possible infection left on your system, this scan can take several hours to complete, it is very thorough and well worth running, please be patient and let it complete:

 

Run Eset Online Scanner

 

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

 

Go to Eset web page http://www.eset.com/us/online-scanner/ to run an online scan from ESET.

 

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    Click Start
  • When asked, allow the add/on to be installed
    Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
  • Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
    Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

 

When the scan is complete

 

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

 

If threats were found

 

  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish

 

close program

 

copy and paste the report here

 

Kevin...

Link to post
Share on other sites

We need to remove FRST, first it is very important to deal with its Quarantine folder using FRST itself..

OK, we continue:

 

Download attached fixlist.txt file and save it to the Desktop, or the folder you saved FRST into.

NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

 

Run FRST and press the Fix button just once and wait.

The tool will make a log on the Desktop (Fixlog.txt). That will confirm the removal action, delete if successful. 

 

Next,

 

Delete FRST.exe from your Desktop or the folder it was saved to, navigate to and delete its folder C:\FRST

 

Next,

 

Uninstall adwcleaner.exe

 

  •  

     

  •   Please close all open programs and internet browsers.

     

     

  •   Double click on adwcleaner.exe to run the tool.

     

     

  •   Click on Uninstall

     

     

  • Click Yes at Would you like to Uninstall Adwcleaner

     

     

 

 

Next,

 

Delete Junkware Removal tool from the Desktop or folder you saved it to, navigate to C:\Windows\Erunt delete that folder.

 

Any other tools you save to Desktop or Downloads folder can be deleted....

 

Let me know if that completes ok, also if any remaining issues or concerns....

 

As you use Chrome have a read at the following link: http://blog.malwarebytes.org/privacy-2/2013/10/chromes-solution-to-the-unsavvy-poses-a-potential-risk/

 

Kevin

fixlist.txt

Link to post
Share on other sites

Kevin, I have uninstalled FRST, Adwcleaner, Junkware and all the others.

 

I have reviewed and saved a bookmark to the advise on Chrome to my desktop for follow up action.

 

I have developed a problem that seems to have arisen from the malware exorcism, my computer's boot up has become erratic.  Sometimes, it boots up in a snap, other times it does not appear to load explorer following login, stuck at a black screen with a mouse cursor.   Would you suggest I do to cure boot up, run a startup repair or . . . ?

Link to post
Share on other sites

ARGH. 

I launch msconfig.  I then uncheck the load startup items under the General tab. Click OK.  That works fine.

 

However, each time I open the services tab, check hide Microsoft services then click disable all and click apply, the orb starts spinning and msconfig stops responding.  I eventually must do a power down reboot to close msconfig.

Link to post
Share on other sites

Revert back to Normal boot option, then do the following:

 

I see you have CCleaner installed, open that program then Select > Tools > Start up > Windows tab. The start up list for non MS entries will populate. Look to the bottom right hand corner, "Save to text file" tab will be there, select that option, copy/paste that log to next reply...

Link to post
Share on other sites

My last post is missing.

In it I reported booting into safe mode to run msconfig successfully.

I have done 5 reboots following the change in configuration -- each popped right up after I logged in.

 

I noted a program/service called Sendori that I do not recall installing. I uninstalled it.

Link to post
Share on other sites

That was not fun.  I went into safe mode and reverted back to a normal boot up.

 

Unfortunately, the computer booted to a black 0xc000000e error screen, telling me to repair Windows, which I did from my repair disk.

 

Things are back to normal.  Although, I see that the Intel AppUp Center launches at startup again, after having been disabled for some time.

 

Attached is the startup.txt file created by CCleaner

startup.txt

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.