Jump to content

Infection Warning Potential Malware


Recommended Posts

 

Hi,

Firstly, thanks so much for potentially helping me out.
We have a computer that is getting some type of adware that comes up saying that there are infections, as you can see in the
image files Popup1 & Popup2.
I have Norton installed, and a scan does not find anything wrong. 
I downloaded Malwarebytes, and ran a scan. The first scan found 93 threats, and all were quarantined as shown in 1-12-malwarebytes original scan.txt.
The pop ups still occurred after the quarantine. 
I ran the FRST scan with the Addition checked. I have included both of these logs. I also reran the Malwarebytes scan and posted that log as well. 
1-24-malwarebytes latest scan.txt

Popup1.jpg

Popup2.jpeg

1-12-malwarebytes original scan.txt 1-24-malwarebytes latest scan.txt Addition.txt FRST.txt

Link to post
Share on other sites
  • Root Admin

Hello @CharlieDeL

The logs do show you have Norton 360 installed.

 

AV: Norton 360 (Enabled - Up to date) {1122B19A-E671-38EC-8EAC-87048FD4528D}
AV: Norton 360 (Enabled - Up to date) {A2708B76-6835-6565-CB96-694212954A75}
AV: Norton 360 (Enabled - Up to date) {9E3FD331-C4C2-7AC4-0537-131EEF1B1F8A}
FW: Norton 360 (Enabled) {9A4B0A53-225A-643D-E0C9-C077EC460D0E}
FW: Norton 360 (Enabled) {A6045214-8EAD-7B9C-2E68-BA2B11C858F1}
FW: Norton 360 (Enabled) {291930BF-AC1E-39B4-A5F3-2E31710715F6}

 

From the installed programs section

Norton 360 (HKLM-x32\...\NGC) (Version: 22.20.5.39 - Symantec Corporation)

 

 

Please follow the directions from the following topic and let us know if that helps before we go further and do additional clean up.

 

Thanks

 

Link to post
Share on other sites

Hello @AdvancedSetup   I turned off the sync as specified, and reran both the Malwarebytes & Norton scans again (in that order), and nether of them found anything. I have left off the sync for now just to make sure. Please let me know if you might have any further steps. Appreciate the assistance. 

Link to post
Share on other sites
  • Root Admin

Are you sure you have not enabled or allowed Push Notifications on your browser?

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

 

Please go to Control Panel, Programs, Programs, and Features and uninstall the following

Bonjour
Java 8 Update 40
Shopping App by Ask

 

Then temporarily disable your Norton 360 live protection and run the following

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi @AdvancedSetup The chkdsk & sfc commands just finished. Both ended good. The sfc output appears in the screenshot below. The machine is back up now, and Chrome is restarted. It's pretty late here, so I will check in the morning to see if the popups are still happening. Fingers crossed!  Thanks

 

 

image.png

Link to post
Share on other sites
  • Root Admin

If needed I can help you with a script to fully remove Google Chrome from the system. Then see if the issue goes away. If all good for a day then we can reinstall Google Chrome if you like.

Let me know. I'm officially off work until tomorrow morning (PST) but will try to check back tonight if I can

Cheers

 

Link to post
Share on other sites

hi @AdvancedSetup Well, it looks like I am at the point where total removal of Chrome is in order. If you have that script available, that would be great. I am afraid that just a straight up uninstall would leave remants that could be harmful upon reinstall. Please pass it along.

After the last step, there were no popups for like 8 hours, and I thought we had it beat. But then they came back again.

As always, thanks for the assistance. Also, I bought the Home version of the product during this time. I am hoping that this will proactively prevent it from happening again.

As far as I can tell, my wife added an extension having to do with grocery coupons, and that was the start of this.

Link to post
Share on other sites
  • Root Admin

If you open Chrome Settings, Extensions. Do you still have any 3rd party extensions installed?

From the address bar you an enter this to go directly to the extensions

chrome://extensions/

I'll find the Google Chrome removal script, but in the mean time make sure you backup any bookmarks or passwords. Then do a Normal uninstall from Control Panel.

Then run FRST again after the restart of the computer and post back both new logs and I'll modify the script to do a full removal of Google Chrome

Thanks @CharlieDeL

Link to post
Share on other sites
  • Root Admin

Please do the following @CharlieDeL

Okay, well you do have the notification back in Chrome again. What makes it keep returning though I'm not sure if you've removed your Sync already.

Please go to Control Panel, Programs, Programs and Features and uninstall the following

  • Bonjour
  • Coupon Printer for Windows
  • Java 8 Update 40
  • Google Chrome
  • Shopping App by Ask

Restart the computer once all has been removed.

 

 

What exactly is mDNSResponder.exe? (Bonjour)

https://www.groovypost.com/howto/howto/what-is-mdnsresponder-exe-and-why-is-it-running/

MDNSResponder, also known as Bonjour, is Apple’s native zero-configuration networking process for Mac that was ported over to Windows and associated with MDNSNSP.DLL.  On a Mac or iOS device, this program is used for networking nearly everything.  On Windows, this process is only necessary for sharing libraries via iTunes and other Mac applications like the Apple TV that were ported to Windows.  Bonjour allows different computers running iTunes to communicate with each other regardless of network configuration, this is because it enables automatic network discovery.

What Is mDNSResponder.exe / Bonjour and How Can I Uninstall or Remove It?
https://www.howtogeek.com/howto/6456/what-is-mdnsresponder.exe-bonjour-and-how-can-i-uninstall-or-remove-it/

 

 

 

You may have some type of compatibility issue with Norton 360 - Our program Malwarebytes has crashed more than once which could be Norton blocking it possibly.

For the fix below please make sure you temporarily disable Norton, and exit out of Malwarebytes and then run the fix.

 

 

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.
NOTE. It's important that both files, FRST or FRST64, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real time antivirus or security software before running this script. Once completed make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Hi @AdvancedSetup  My apologies, I have not been back home as I am working 36 hours on, so I could not get back to you. I am one post behind you, and am responding to your post from Thursday at 11:28 PM. I definately have sync turned off. Please see attached file image.png. 

I have uninstalled Chrome, and ran FRST again. I have uploaded txt files. 

Please let me know if I should proceed to your last set of instructions, or would you like to analyze the latest logs first. Again, thanks for the assistance! 

image.png

Addition.txt FRST.txt

Link to post
Share on other sites
  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.