Jump to content

Recommended Posts

I posted a topic (https://forums.malwarebytes.com/topic/249646-remove-pupoptionalspigota/)  on July 21st and waited for any reply, but only saw one today from kevinf80 telling me the post was closed. I never saw a notice that he had answered me on that same Sunday. Anyway today I followed all his instructions, but he wanted me to reply with attached log files. I have the log files attached to this post. How do I get them to kevinf80?

malwarebytesScan.txt adwcleaner_7.4.txt FRST.txt Addition.txt

Link to post
Share on other sites

Hello martinduo,

Thanks for those logs, you were listed to follow your other thread so should have received an email informing you of replies....

The log from adwcleaner is not correct, can you attach again the relevent log. Logs are saved here: C:\AdwCleaner\logs

The one we want is named as follows if items were removed: AdwCleaner[C00].txt the digits after C indicate run number...

Can you also run another scan with Malwarebytes and post a fresh log.

Thank you,

Kevin

Link to post
Share on other sites

Thanks for those logs, make clean install of Google Chrome, see if that clears the issue...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

For your Passwords go here:

https://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Next,

Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...

In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"

A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server...

Continue to next step to completely Uninstall Chrome....

Next.

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Install Google Chrome :

Next,

Import your Bookmarks... (instructions in the first step)

Import Passwords... (instructions in second step above)

Next,

Install uBlock Origin for Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Does that help...
Link to post
Share on other sites

Hi Kevin,
Yes my Chrome bookmarks are very important. I have hundreds all saved in nested folders by using the Bookmark Manager. I would hate to lose that organization. Will your suggested procedure preserve that? Also I'm synced with Google on my Chromebook where I have access to the same bookmarks. Will I have to clean up over there also to prevent infecting my PC again?
Link to post
Share on other sites

The only way to remove the constantly returning spigot problem is to reset sync on Google servers, I always recommend going one step further and making a fresh clean install of Chrome. Yes the the links for saving Passwords and Bookmarks work 100% if followed correctly. I`ve used those instructions personally many times, here at Malwarebytes many times and other similar forums many times successfully... The decision to follow the instructions is down to you, I can only recommend..

Link to post
Share on other sites

Your instructions to get to the "Reset Sync" button don't agree with what I see. I found the "chrome.google.com/sync?hl=en-us" page with the "Reset Sync" button. I clicked that and uninstalled Chrome as per instructions. BUT I can not delete "\AppData\Local\Google". Permission is denied even with administer privileges. I even went into Safe Mode to do the "RD /S /Q C:\Users\Bruce\AppData\Local\Google" command but still was not able to delete that Google folder.

i read in "https://www.guidingtech.com/52019/delete-files-windows-10/" about "Unlocker", and installed that (using Windows Defender to skip one download with infections). Activating Unlocker by right clicking the Google folder gives a message: "No Locking handle Found", and an offer to perform a Delete action. Running that gives a message: "The object could not be deleted", and an offer to perform the requested delete operation at next reboot. Selecting Yes and rebooting still does not do the delete. Attached is a Malwarebytes scan done just now.

So now my question is, do I leave Chrome as uninstalled and just use Firefox only? Is my only solution a clean re-install of Win10?

I am buying a new computer next month, so I could just continue usinf Firefox with things as they are now until then. Is there any problem with leaving the PUPs until then? And even more important, if I install Chrome on my new computer, does it have a venerability that will infect my new computer with PUPs again?

 

malwarebytesScan.txt

Link to post
Share on other sites

Thanks for the reply, I see no reason for a clean istall of Windows. We could try removing the google folder with FRST, see if that shifts it. From the Malwarebytes log I see you`ve picked up Babylon, that will have been piggybacked to UnLocker...

See if FRST does move the google folder, if it does, run Malwarebytes again. If spigot is not found reinstall Chrome and see how it responds..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.

 

 

fixlist.txt

Link to post
Share on other sites

I ran FRST but I clicked the scan button, using the instructions on the FRST page, not yours. That file is named FRST-scan.txt and is attached. Also the Addition-scan.txt is attached in case they are useful. I went back and ran FRST again and clicked the Fix button. Even though the Fixlog.txt says it was moved, the C:\Users\Bruce\AppData\Local\Google folder is still there. I did notice that yesterday there were two subfolders Chrome and Drive. Now there is only Drive. I think I saw that was the case even before I clicked the Fix button. Is it the Chrome subfolder we were trying to get rid of? Should I uninstall Unlock?

I'll be away now for a couple of hours.

The Malwarebytes scan is still running, but I have to leave now. I'll send it later when I get back.

 

FRST-scan.txt Addition-scan.txt Fixlog.txt

Link to post
Share on other sites

Hello martinduo,

Thanks for the update and logs, post Malwarebytes log whenever you`re ready. After that I`ll post another FRST fix to remove all remnants of Google and Babylon, after that you can reinstall Chrome and import Bookmarks and Passwords. As long as all Sync data was reset you should not have any further issues..

You may also want to d/l and install UnChecky  -  https://unchecky.com/ helps to stop unwanted extras when installing certain free software..

Thanks,

Kevin..

Link to post
Share on other sites

The scan says No Threats Detected. Yea!

Now I can install Chrome, import my bookmarks, install uBlock Origin, right?

Before I do that do I have to hit "Reset Sync" on my Chromebook, or is that unnecessary since i did it already on my PC?

What did I do to infect Chrome with spigot? Is it from a web site or a download like unLocker (which Malwarebytes wouldn't let me download)

malwarebytesScan.txt

Link to post
Share on other sites

I want you to run another fix with FRST before you reinstall Chrome. If you`ve reset sync on your PC all data will have been removed from Google servers..

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Open FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.


Next,

Reinstall Chrome...

Thanks,

Kevin..

fixlist.txt

Link to post
Share on other sites

Okay I ran it, Fixlog.txt is attached.

I'm wondering about " reset sync". I ran it on my PC to remove all data from Google servers. But my Chromebook is also signed in on my Google account and has all my bookmarks, etc available on its home page. Isn't that device repopulating the Google server with that data? Will that include copies of the PUPs, etc or is that just Win10 stuff not pushed to Chromebook?

Also, if I delay importing my exported bookmarks, will they be restored via the sync from the Chromebook? Just curious. I assume I can short circuit that syncing by just importing them to the PC.

Fixlog.txt

Link to post
Share on other sites

I've installed Chrome and imported the bookmarks. I did not reset sync on the Chromebook. I'm waiting to see if a bookmark change I made on the PC is synced to the Chromebook now like before. I may have to investigate this feature and experiment some to understand it.

Thank you for the awesome support. I made a donation through PayPal, it's from Bruce Martin.

Link to post
Share on other sites

Yes, running okay with no quarantined files. Yay!

But something new has appeared: Protection Events - Website blocked. The exported report for one of them is shown below. Any ideas about why this just started? Looks like some reporting back to Microsoft. The only changes I've done have all been with Chrome.

Windows has got the feature update for 1903 queued up for when I next restart. So I may be off the air for awhile. I'm going to let it run now.

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 7/30/19
Protection Event Time: 7:39 PM
Log File: 517718f8-b323-11e9-9d32-5c514f50594b.json

-Software Information-
Version: 3.8.3.2965
Components Version: 1.0.613
Update Package Version: 1.0.11788
License: Premium

-System Information-
OS: Windows 10 (Build 17763.437)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Malware
Domain: settings-win.data.microsoft.com
IP Address: 20.36.218.63
Port: [56842]
Type: Outbound
File:

 

(end)

Link to post
Share on other sites

Clean report from Malwarebytes. No blocks. After we cleaned up the PUPs, I installed the cumulative updates for Win 1809 that were waiting for me. Maybe something there trigger the false positives. Anyway just after doing those updates, the feature update to 1903 was posted to me and I installed that. And now the false positives are gone. All is well. Thanks again for your great help.

MalwarebytesCleanReport.txt

Link to post
Share on other sites

Hello martinduo,

Good to hear all is well, continue to clean up:

Right click on FRST here: C:\Users\Bruce\Downloads\FRST64.exe and rename uninstall.exe when complete right click on uninstall.exe and select "Run as Administrator"

If you do not see the .exe appended that is because file extensions are hidden, in that case just rename FRST64 to uninstall

That action will remove FRST and all created files and folders...

Run Windows Disk Clean Up Utility - https://neosmart.net/wiki/disk-cleanup/

From there you should be good to go...

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.