Bestdriverstar, simplesitescan, anythicago virus won't go away.

Everytime I connect to the internet these things pop up through Avast and say they come from wnavga.exe.

I also have an extension on my Google Chrome called Dealz and I cannot remove that through any of the conventional methods.

I ran Zoek and attached is my notes.

Please follow the instructions in the sticky at the top of this forum.

Nothing I’ve tried has worked.

In that thread it states to make a new topic in this forum for further assistance.

I will gladly run any scans needed form more info.

It also says other things. Follow the instructions.

Hello sturmgeist13,

Zoek is not a tool that is supposed to be used without expert oversight. Plus, tool has been run in his autoclean mode.
This is bad because we do not know its previous state, state before cleaning.

Posted log shows hardly previus infected Google Chrome with some mal-extensions remains.

Resseting Google Chrome back to there defaults settings would be a very good thing. Here is how to:
https://support.google.com/chrome/answer/3296214?hl=en

When this is done, download and run Malwarebytes Anti Malware to target and remove known malware. Then, via FRST logs I can target unknown and undetectable malware via scripts.

Follow Eddy’s advice for instructions and posting logs.

Attached are all my scan logs.

I’ve tried uninstalling Chrome and it always comes back.

I had the same problem. Use : restauration system.

No, follow the instructions from a malware removal expert.

Hello sturmgeist13

Re-run Zoek tool as you did before …

[*]Close any open browsers and temporarily disable your AntiVirus program. (if it is necessary)
If you are unsure how to do this please read this or this Instruction.

[*]Double click on zoek.exe to run the tool. Please wait while the tool does not start…
[*]Copy the text present inside the code box below and paste it into the large window in the zoek tool:

Uninstall-List; EmptyCLSID; C:\Program Files (x86)\Dll-Files.com Fixer\DLLFixer.exe;i CHRDefaults; bghejdcdajlenjngcknlkkoakmmjfanb;chr bopakagnckmlgajfccecajhnimjiiedh;chr eeafbffkmccheohnooflcnppngmobeoe;chr ellbonkjdmgdghkojcjmomekmjpdffde;chr fllgpcmelbfhcligbphaaplminjpbiad;chr flliilndjeohchalpbbcdekjklbdgfkk;chr hpjocjloojeicikiokfiekcdpojgfefc;chr jmnkgjdfgnjhmnopgmkcpigenfhgajdj;chr kfbhfniohjdklgcmbmemnpaimpdaikea;chr manaobgbdfpjjjnheogfghmjbikhjnlf;chr oaobejgaaiojgggjojlcpbembaoajbmc;chr bghejdcdajlenjngcknlkkoakmmjfanb;chr eeafbffkmccheohnooflcnppngmobeoe;chr ellbonkjdmgdghkojcjmomekmjpdffde;chr fllgpcmelbfhcligbphaaplminjpbiad;chr hpjocjloojeicikiokfiekcdpojgfefc;chr jmnkgjdfgnjhmnopgmkcpigenfhgajdj;chr kfbhfniohjdklgcmbmemnpaimpdaikea;chr oaobejgaaiojgggjojlcpbembaoajbmc;chr EmptyAllTemp; C:\Users\Jesse\AppData\Local\Temp.dat;f C:\ProgramData\DP45977C.lfl;f bitsadmin /reset /allusers >> %temp%\log.txt;b FilesRCM; StartupAll; Reboot;

[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button.
Please wait until a logreport will open (this can be after reboot)

[*]Save notepad to your Desktop and attach here zoek-results.log
Note: It will also create a log in the C:\ directory named “zoek-results.log

Thank you, it did get rid of the website attacks via Avast but the Dealz extension is still on my Chrome.

Attached are the zoek logs.

Zoek log is incomplite. Doesn’t matter. Just post me fresh FRST.txt log for re-analysist.

Attached is my latest FRST log. Thank you so much for helping.

Hello sturmgeist13,

The best thing would be to reinstall (uninstall first) Google Chrome browser, install fresh copy and then reset settings back to defaults;
https://support.google.com/chrome/answer/3296214?hl=en

In uninstallation process, make shure options “Also delete your browsing data” is ticked.

I see something unusual, so I will tell FRST to act aggressively and remove this. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Hosts:
R2 WinGraph; C:\Windows\wnavga.exe [7680 2015-05-14] () [File not signed]
S5 WinDivert1.1;  <===== ATTENTION Locked Service

Unlock: C:\Windows\wnavga.exe

Reboot:
C:\Windows\wnavga.exe

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Here is the Fixlog.

The Dealz extension is gone and everything is seemingly back to normal, thanks a ton!

Good. Now please run Malwarebytes, go to Settings and under Detections and Protections check box for Scan for RootKits option;
Return to Dashboard and preform Threat Scan. Post me the resulting log. How to post the MBAM’s log:

Click on the History tab > Application Logs.
Double click on the scan log which shows the Date and time of the scan just performed.
Click ‘Export’ > ‘Text file’, save notepad to your Desktop as MBAMScan log e.g

Here is the latest MBAM Scanlog.

Nice and clean. :slight_smile: Tell me please, how are the things now?

Everything is perfectly fine. No signs of attacks through avast and no unwanted extensions on my chrome.

Glad I could help. Posted logs appear cleans and show no signs of active infection. You should be good to go …

We’re gonna remove my used tools now as well as carry out some further cleaning and security settings. To learn more about how to protect yourself I’ll give you a few tips for reading.

The following will implement some post-cleanup procedures:


http://www.mcshield.net/pg/images/arrow.png
Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Tip: Do not use security tools such as ComboFix, FRST, Zoek and the like. These are advanced security tool, should not be used without supervision.


Learn how to protect yourself:

=> In order to stay protected it is very important that you regularly update all of your software and Windows Operating System.

It is important that you visit Windows Update regularly.
How to configure and use Automatic Updates in Windows

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Keeping Java and Adobe update is priority.
Download and install latest version of Java
Download and install latest version of Adobe Reader

=> I recommend that you use one of the fantastic opportunities provided by
http://www.mcshield.net/pg/images/avast5.png
avast! AntiVirus.

For security protection, an active AntiVirus is required. If you want to reinforce your security setup I recommended additional security software and utilities:
Download and install Malwarebytes’ Anti-Malware and perform ‘Threat Scan’ from time to time. Malwarebytes will detect and remove all traces of known malware.
Download and install MCShield Anti-Malware Tool to prevent infections transmitted via removable drives.
Download and install Unchecky to keeps your checkboxes clear by preventing installing additional adware and other PUP bad software.
Download and install AdBlock for safe web browser surfing without annoying and malicious advertising ads.

Extra text for reading:

Please visit and review PC Safety and Security - What Do I Need? for some helpful information.

Please visit FAQ - Answers to common security questions - Best Practices to read tips how to protect yourself against malware infection.

You may also visit and read What to do if your Computer is running slowly? if you like to read some basic geek stuff.

The specific type of infection:

Meet CryptoPrevent. Security app that shall attempt to prevent dangerous malware that encrypts certain types of files stored on your disk, like CryptoWall, CryptoLocker and simular clones.

More information about this family of malicious software: CryptoLocker Ransomware Information Guide and FAQ ;
Cryptolocker Ransomware: What You Need To Know and CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Stay safe.

Best Regards,
magna86