Chrome extension will not go away

Viruses and worms
1

I am trying to help out a friend, they have downloaded something and I removed everything but on Chrome even after clearing and reverting back to default the extension Dealz will not go away and continues to multiply even after I have clean installed Chrome. I have searched the registry, and everything else I can think of. I need a professional to guide me please.

2

Attach your basic diagnostic logs. (MBAM, FRST and aswMBR)
Instructions: https://forum.avast.com/index.php?topic=53253.0

3

Malwarebites scan log

4

Fubar Scan logs

5

OK, now you’ve to wait a bit…

6

Last log
Ok Please let me know what else I should post. Thank you so much for all your help. I have Avast going on your computer and every page I open it has something blocked, but that is why I need your help. :smiley:

I do not understand what you mean by "OK, OK, now you’ve to wait a bit…

7

It means, be patient until a removal expert posts further instructions. :wink:

8

No problem I have patience. :smiley: Thanks.

9

Let me know what problems remain after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2446882483-999373319-3632143801-1003\...\Winlogon: [Shell] - <==== ATTENTION ProxyServer: [S-1-5-21-2446882483-999373319-3632143801-1003] => localhost:21320 SearchScopes: HKU\.DEFAULT -> {4C4C7AAB-5854-4241-A414-E2F1EF119C4A} URL = hxxp://www.dnsbasic.com/?prt=DNSBASIC111&sp=&keywords={searchTerms} BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File BHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File CHR Extension: (Dealz) - C:\Users\Eraina Smith\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2015-10-27] CHR Extension: (Dealz) - C:\Users\Eraina Smith\AppData\Local\Google\Chrome\User Data\Default\Extensions\manaobgbdfpjjjnheogfghmjbikhjnlf [2015-10-28] Task: {42E66589-B926-4B06-959B-089E4C255826} - System32\Tasks\{BD12E89E-CEC1-40B7-8446-B4C2D721D5D5} => pcalua.exe -a "C:\Users\Eraina.Eraina-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMKV1ETG\setupconsumerc2rolw.exe" -d C:\Users\Eraina.Eraina-PC\Desktop Task: {72C41E91-5F66-4DCB-BF6F-B72ACF50864C} - \GoogleUpdateTaskUserS-1-5-21-2446882483-999373319-3632143801-1000Core -> No File <==== ATTENTION Task: {8EB2C692-DAE3-4C17-9417-D5F18FF501E0} - \AmiUpdXp -> No File <==== ATTENTION Task: {8EEC855C-B7D1-42F5-9193-E37B3CCD93B2} - System32\Tasks\{CB0991F9-094D-4148-AB85-904EC17DDF89} => pcalua.exe -a "C:\Users\Eraina Smith\Downloads\setupconsumerc2rolw.exe" -d "C:\Users\Eraina Smith\Downloads" Task: {A0A88DD2-ECE9-4A70-8CBD-6FC9B523C5C8} - \GoogleUpdateTaskUserS-1-5-21-2446882483-999373319-3632143801-1000UA -> No File <==== ATTENTION Task: {AF4AB1B6-DCD7-45ED-B53E-A47BEF157920} - System32\Tasks\DPCPHH1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION Task: {CB4A2CA0-F58F-4647-8611-6AB7B5862A19} - System32\Tasks\4788 => Wscript.exe C:\Users\ERAINA~1\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION Task: {DD24C05E-9B3D-4E8A-A1C3-B2D2535452A4} - \Test TimeTrigger -> No File <==== ATTENTION Task: C:\Windows\Tasks\DPCPHH1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION C:\ProgramData\FlashBeat R2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [121696 2012-08-24] (Commtouch, Inc.) R2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [119136 2012-08-24] (Commtouch, Inc.) S3 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [181600 2012-08-24] (Commtouch, Inc.) R2 AMP; C:\Windows\system32\Drivers\amp.sys [173408 2012-08-24] (Commtouch, Inc.) Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f

RemoveProxy:
EmptyTemp:
CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

10

Does this fix take a while? It has been running for almost 2 hours now. I will be patient and let it run while we sleep. Thank you so much for all your help. I will post the log when I wake up. :wink:

11

Hmm no should only take a few minutes. Stop FRST and post the fixlog that appears on the desktop please

12

Let me reboot her computer and I will send it. I am on mine right now. Give me 10 min max. :smiley:

13

I’m sorry, she isn’t home and since this started happening it requires her to hit F1 to boot up and that is why Teamviewer will not come back up. I did look at the log before I rebooted and it wasn’t complete but when I got up this morning FBST was not responding again so I just ran the AdwCleaner for grins ;D and it had NO problems. Fingers crossed that you are the GENIUS!!! Maybe FBST completed overnight and once finished it stopped responding, not sure. She will be home in 3 hours so when she hits F1 for it to boot up I will post everything and let you know. I do know that it removed her access to the internet so that is a good thing. I really appreciate your understanding and patience. Talk to you in 3 hours. Donna <3

Oh, would this virus be causing her computer to not reboot like normal and making her have to hit F1 to complete the boot process?

14

There is that possibility, what message does she get that requires F1

15

this is a picture I took a while back of what it says when you boot. Also I’m still getting the treat has been detected. I am also attaching both of the FBST logs. As well as the AdwCleaner log.

16

Here is a better screenshot of the Error at boot.

17

Sounds like a hard drive problem that nay be cured by running chkdsk

But first

Could you now run AdwCleaner :slight_smile:

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

18

I’m sending her log from my computer because I can not get online with hers now.
Please advise. Thank you.

19

Hmm a lot of snake oil programmes there

Run this fix as it will reset the network connections

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: HKU\S-1-5-21-2446882483-999373319-3632143801-1003\...\Winlogon: [Shell] - <==== ATTENTION ProxyServer: [S-1-5-21-2446882483-999373319-3632143801-1003] => localhost:21320 SearchScopes: HKU\.DEFAULT -> {4C4C7AAB-5854-4241-A414-E2F1EF119C4A} URL = hxxp://www.dnsbasic.com/?prt=DNSBASIC111&sp=&keywords={searchTerms} BHO: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File BHO-x32: No Name -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> No File Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - No File CHR Extension: (Dealz) - C:\Users\Eraina Smith\AppData\Local\Google\Chrome\User Data\Default\Extensions\bghejdcdajlenjngcknlkkoakmmjfanb [2015-10-27] CHR Extension: (Dealz) - C:\Users\Eraina Smith\AppData\Local\Google\Chrome\User Data\Default\Extensions\manaobgbdfpjjjnheogfghmjbikhjnlf [2015-10-28] Task: {42E66589-B926-4B06-959B-089E4C255826} - System32\Tasks\{BD12E89E-CEC1-40B7-8446-B4C2D721D5D5} => pcalua.exe -a "C:\Users\Eraina.Eraina-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMKV1ETG\setupconsumerc2rolw.exe" -d C:\Users\Eraina.Eraina-PC\Desktop Task: {72C41E91-5F66-4DCB-BF6F-B72ACF50864C} - \GoogleUpdateTaskUserS-1-5-21-2446882483-999373319-3632143801-1000Core -> No File <==== ATTENTION Task: {8EB2C692-DAE3-4C17-9417-D5F18FF501E0} - \AmiUpdXp -> No File <==== ATTENTION Task: {8EEC855C-B7D1-42F5-9193-E37B3CCD93B2} - System32\Tasks\{CB0991F9-094D-4148-AB85-904EC17DDF89} => pcalua.exe -a "C:\Users\Eraina Smith\Downloads\setupconsumerc2rolw.exe" -d "C:\Users\Eraina Smith\Downloads" Task: {A0A88DD2-ECE9-4A70-8CBD-6FC9B523C5C8} - \GoogleUpdateTaskUserS-1-5-21-2446882483-999373319-3632143801-1000UA -> No File <==== ATTENTION Task: {AF4AB1B6-DCD7-45ED-B53E-A47BEF157920} - System32\Tasks\DPCPHH1 => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION Task: {CB4A2CA0-F58F-4647-8611-6AB7B5862A19} - System32\Tasks\4788 => Wscript.exe C:\Users\ERAINA~1\AppData\Local\Temp\launchie.vbs //B <==== ATTENTION Task: {DD24C05E-9B3D-4E8A-A1C3-B2D2535452A4} - \Test TimeTrigger -> No File <==== ATTENTION Task: C:\Windows\Tasks\DPCPHH1.job => C:\ProgramData\FlashBeat\FlashBeat.exe <==== ATTENTION C:\ProgramData\FlashBeat R2 vseamps; C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe [121696 2012-08-24] (Commtouch, Inc.) R2 vsedsps; C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe [119136 2012-08-24] (Commtouch, Inc.) S3 vseqrts; C:\Program Files\Common Files\Authentium\AntiVirus5\vseqrts.exe [181600 2012-08-24] (Commtouch, Inc.) R2 AMP; C:\Windows\system32\Drivers\amp.sys [173408 2012-08-24] (Commtouch, Inc.) RemoveProxy: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

20

Thank you, I am running the fix now, hope it doesn’t not respond like before. I will post the log when it is finished. :smiley: Yes, she has grandchildren at her house. I told her to change her password so they can not get on her computer and to NEVER LET THEM DOWNLOAD things again. >:(