Jump to content

Recommended Posts

I keep getting popups on google chrome even though I have reset it multiple times, run malware bytes adwcleaner 3 times, and have scanned my computer 5 times with malware bytes premium, and I have even scanned it in safe mode. I am getting popups that malware bytes is blocking, but it can't find the Trojan on my computer. I am rather frustrated at this point because I paid $40 for this very reason, but my problem has not been resolved.

Link to post
Share on other sites

Hi halowarthog :)

Are you able to provide a screenshot of the block (pop-up notification) when it occurs, or copy/paste the content of the Protection event log?

Link to post
Share on other sites
8 minutes ago, Aura said:

Hi halowarthog :)

Are you able to provide a screenshot of the block (pop-up notification) when it occurs, or copy/paste the content of the Protection event log?

I uploaded a text file of one the reports and a picture of all the reports. As seen the picture you can see how extensive the list is.

Report List.png

Protection Block via Malwarebytes.txt

Link to post
Share on other sites

Okay, that was from a while ago that is my bad. I didn't see the time stamps on the right side till after. Which is why I attached an additional picture of the current issue. My current issue is popup ads, different starting pages on chrome, and "secure search" tool-bars. I have already gone ahead and done the standard of closing all P2P applications like steam, skype discord, etc. To help continue with the actual issue at hand. 

Link to post
Share on other sites

Scanning with FRST won't fix anything. Running a fixlist will. And I'm at work right now, hence why I cannot always reply right away. Here, let's run a first FRST fix and JRT as well.

iO3R662.pngFarbar Recovery Scan Tool (FRST) - Fix mode
Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

  • Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST.exe/FRST64.exe executable is located);
  • Right-click on the FRST executable and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Click on the Fix button;
  • On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
  • Copy and paste its content in your next reply;

iT103hr.pngJunkware Removal Tool (JRT)

  • Download Junkware Removal Tool (JRT) and move it to your Desktop;
  • Right-click on JRT.exe and select Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users);
  • Press on any key to launch the scan and let it complete;
    Credits : BleepingComputer.com
  • Once the scan is complete, a log will open. Please copy/paste the content of the output log in your next reply;

Your next reply(ies) should therefore contain:

  • Copy/pasted conent of FRST's fixlog.txt;
  • Copy/pasted of JRT's log;



Link to post
Share on other sites



Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.1.2 (03.10.2017)
Operating System: Windows 10 Education x64 
Ran by Zachary (Administrator) on Mon 04/10/2017 at 14:41:12.35

File System: 0 

Registry: 0 

Scan was completed on Mon 04/10/2017 at 14:42:34.12
End of JRT log

Fix result of Farbar Recovery Scan Tool (x64) Version: 15-03-2017
Ran by Zachary (10-04-2017 14:36:58) Run:1
Running from C:\Users\Zachary\Desktop
Loaded Profiles: Zachary (Available Profiles: defaultuser0 & Zachary)
Boot Mode: Normal

fixlist content:

HKLM-x32\...\Run: [] => [X]
ShellIconOverlayIdentifiers: [00avg] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
Startup: C:\Users\Zachary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk [2017-01-30]
ShortcutTarget: Curse.lnk -> C:\Users\Zachary\AppData\Roaming\Curse Client\Bin\Curse.exe (No File)

AutoConfigURL: [S-1-5-21-1356719073-80366876-1192813634-1001] => hxxp://tech-access.biz/wpad.dat?1d84615bb95b7534dfcde9e9abcdaaee28027288
HKU\S-1-5-21-1356719073-80366876-1192813634-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxps://mysearch.avg.com/?cid={A56F64E1-7797-4A31-9109-9506B48E3B24}&mid=110efb1613f447cf9915e99c01c16ee6-3fcf1716bbd8ac00269e07370455838898eefd1c&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-04-10 13:04:31&v=
SearchScopes: HKU\S-1-5-21-1356719073-80366876-1192813634-1001 -> DefaultScope {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={A56F64E1-7797-4A31-9109-9506B48E3B24}&mid=110efb1613f447cf9915e99c01c16ee6-3fcf1716bbd8ac00269e07370455838898eefd1c&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-04-10 13:04:31&v={searchTerms}
SearchScopes: HKU\S-1-5-21-1356719073-80366876-1192813634-1001 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = hxxps://mysearch.avg.com/search?cid={A56F64E1-7797-4A31-9109-9506B48E3B24}&mid=110efb1613f447cf9915e99c01c16ee6-3fcf1716bbd8ac00269e07370455838898eefd1c&lang=en&ds=AVG&coid=avgtbavg&cmpid=ZenTest_B_0&pr=fr&d=2017-04-10 13:04:31&v={searchTerms}
BHO: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> No File

S2 MEmusvc; C:\Program Files (x86)\MEmu\MemuService.exe [X]
S3 ALSysIO; \??\C:\Users\Zachary\AppData\Local\Temp\ALSysIO64.sys [X] <==== ATTENTION



Processes closed successfully.
Error: (0) Failed to create a restore point.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avg => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
C:\Users\Zachary\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Curse.lnk => moved successfully
C:\Users\Zachary\AppData\Roaming\Curse Client\Bin\Curse.exe => not found.
HKU\S-1-5-21-1356719073-80366876-1192813634-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\AutoConfigURL => value removed successfully
HKU\S-1-5-21-1356719073-80366876-1192813634-1001\Software\Microsoft\Internet Explorer\Main\\Start Page => value restored successfully
HKU\S-1-5-21-1356719073-80366876-1192813634-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-21-1356719073-80366876-1192813634-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233} => key removed successfully
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => key not found. 
HKLM\System\CurrentControlSet\Services\MEmusvc => key removed successfully
MEmusvc => service removed successfully
HKLM\System\CurrentControlSet\Services\ALSysIO => key removed successfully
ALSysIO => service removed successfully
C:\Users\Zachary\AppData\Local\fa00e67d => moved successfully

=========== EmptyTemp: ==========

BITS transfer queue => 17049921 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 91642125 B
Java, Flash, Steam htmlcache => 301057552 B
Windows/system/drivers => 21476551 B
Edge => 14488204 B
Chrome => 37086071 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 128 B
systemprofile32 => 128 B
LocalService => 4130 B
NetworkService => 333160 B
defaultuser0 => 588289 B
Zachary => 3925940544 B

RecycleBin => 0 B
EmptyTemp: => 4.1 GB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 14:37:41 ====

Link to post
Share on other sites

Do you have Google Chrome installed on another device (another laptop, computer, etc.) with your Google account logged in, or not?

Link to post
Share on other sites

Alright. In your case, uninstalling and reinstalling Google Chrome might be the fastest way to get rid of the hijacking.

Link to post
Share on other sites

Yes, I currently have my homepage at YouTube to avoid secure search and secure-surf.net. As a google page as a bar on the top which is the secure search, and secure-surf.net is the new tab that opens up if you set your on startup to "Open the New Page tab".

Link to post
Share on other sites

You can manage these and remove the hijacks manually. If you cannot find how, I'll provide you screenshots when I get home (since my Google Chrome install at work is in French). Basically, if you go in the "Manage Search Engines" button, remove all of them and only leave Google (on top of making it default), these should go away.

Link to post
Share on other sites

Alright in that case, run a new scan with FRST, and provide me the FRST.txt and Addition.txt logs. I'll take a look at where that setting is left.

Link to post
Share on other sites

I think I may of fixed it. Here is what I believe happened.

The virus/adware latched on to my google account that saves autofill, bookmarks, etc. So what I did was I logged out of this account and made sure I checked the boxes that deleted the history and whatever. Then I deleted chrome, and reinstalled it. When I resynced the account all I checked to sync was "Autofill", "History", and "Passwords". The tool bar and secure-surf.net is no longer showing up, even after 3 restarts of chrome and an infinite amount of new tab openings. 

So I was able to keep my autofill settings which is needed because all my passwords are pretty much different but I keep them hidden in the physical world, and my history so I can get back to what I was doing beforehand.

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.