Do I have a virus?

Viruses and worms
1

I’ve been getting “This webpage is not available” in Chrome, with a little ASCII-drawn dinosaur above the sentence. And periodically I have no Internet connection. Then today, there were animated words on the page with the dinosaur and the sentence above that said GAME OVER!!!

Seems like some ancient virus, no?

Bonnie Granat
bgranat@granatedit.com
http://www.GranatEdit.com

2

Please follow the directions for scans in this topic and attach as many of the logs as you can run.
Logs to assist in cleaning malware

3

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/4/2015
Scan Time: 2:55 AM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.10.04.01
Rootkit Database: v2015.10.02.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: BGranat

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 404693
Time Elapsed: 1 hr, 14 min, 25 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

4

The “GAME OVER” thing was animated, so I don’t have a picture of it.

I’m not sure what scans and how many you wanted me to run, but the Malwarebytes scan is from last night. The Avast scan last night was fine–no threats.\

Thanks for your help.

5

Scan text file is attached.

6

Instructions https://forum.avast.com/index.php?topic=53253.0
Attach Farbar Recovery Scan Tool logs … 2 logs total

See below the box you write in … Attachments and other options

when done dbrisendine will assist you

7

I did attach the file. The date is 190515 instead of 100515, which is what it should be again.

I am uploading it again now.

Thank you.

Meanwhile, today the computer has been well behaved and I have not seen the little dinosaur even once all day.

8

It is not the Malwarebytes scan log we want … read my instructions above

9

OK, you want the farbar thing, but I’m having a problem getting the page. First time today. I’ll try until I get it, though. Thanks for your patience. Often a simple thing looks like it’s too much for me to handle, but if I take it slow, I can usually do it. But I cannot access the page now. See attached file. Will keep trying. Thanks, again.

10

FRST.txt and Addition.txt are attached to this message.

Now I’ll go do the other thing.

11

Oh, wait. You wanted two logs total. So I don’t have to do the aswMBR thing, right? OK. Yes, I’m a mess. LOL.

12

Addition.txt log is not attached …

13

Addition text and the third one that I did anyway are attached.

14

Let me know how the computer is after this

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: 2015-09-23 08:03 - 2015-09-24 10:26 - 00000000 ____D C:\Program Files\Babylon 2015-09-23 08:03 - 2015-09-23 08:03 - 00000000 ____D C:\Program Files (x86)\Babylon 2015-09-23 08:02 - 2015-09-23 08:02 - 00676720 _____ (Babylon Software Ltd.) C:\Users\BGranat\Downloads\Babylon10_setup_ns.exe 2015-09-17 12:42 - 2015-02-03 15:49 - 00010240 _____ C:\Users\BGranat\AppData\Local\Z@!-9a215caf-e8fa-4260-bbf6-d46caa688368.tmp 2015-09-17 12:42 - 2015-02-03 15:49 - 00010240 _____ C:\Users\BGranat\AppData\Local\Z@!-882234b7-ecfb-4156-9f08-545c52a4d419.tmp 2015-09-17 12:42 - 2015-02-03 15:49 - 00009216 _____ C:\Users\BGranat\AppData\Local\Z@S!-5eefec18-d746-4529-9d75-e656e3f3966d.tmp CustomCLSID: HKU\S-1-5-21-1942861139-1674859938-1291910794-1001_Classes\CLSID\{B65CAD9D-F572-4BD9-9FF1-CBE8AF9FB67D}\InprocServer32 -> C:\Users\BGranat\AppData\Roaming\Intelligent Editing\PerfectIt 3\adxloader64.dll () CustomCLSID: HKU\S-1-5-21-1942861139-1674859938-1291910794-1001_Classes\CLSID\{CB2B673F-D441-4CD4-AFBE-DC4037CA4220}\InprocServer32 -> C:\Program Files\WinZip\adxloader64.dll () RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S0].txt as well.

15

Two files were created today, and I’ve uploaded them both. Maybe they’re identical. Evidently someone had run AdwCleaner before, because there was an [SO] file from last year in that folder.

16

How is chrome behaving now ?

17

I had two tabs open. When I clicked one of them, I saw the dinosaur and the blue Reload button for a second, and then the page loaded properly, so that made me think whatever you had me do – was it remove traces of Babylon? – didn’t work.

So I can’t tell for sure how Chrome is behaving. Only over time will I be able to tell.

I intentionally downloaded Babylon, or I should say I didn’t object when it downloaded itself, because I thought it was a trustworthy site. Is it a site that’s just a front for hackers? It is a translation site that’s selling translation software or cloud services (I’m not sure which). But it had a free version that gave you five free translations and then stopped. They didn’t bother telling you that at the outset, though.

Thank you for your help, by the way.

I will come back to give a final report on the issue after enough time has gone by. The problem seems to be worse at night.

Do you know why Avast and Malwarebytes didn’t catch the culprit?

Bonnie

18

I clicked on an open tab just now, and the dinosaur and the blue button appeared for a second and then disappeared.

Have I killed the devil or not?

Thanks.

19

I got the no Internet service page again and rebooted the computer. Then service was restored.

Is that page with the dinosaur a virus? I have to think it is because of the “GAME OVER” animation I saw the other day. Google Chrome would never do that, right? Have you ever seen the dinosaur page before or is this the first time?

Several weeks ago, the people at Total Support at Avast, where I have an active paid account, fixed my DNS thing, because I was getting malicious Web page notifications and I couldn’t understand the fixes offered here on the forum. Could that have done something by accident?

This computer is six years old and I am sort of halfway in the market for a new one.

If what we have done so far hasn’t worked, is it likely that whatever ails my computer is beyond our ability to fix? I guess I mean, “Have you any idea what virus it is that I have?”

I should add that when my weather app says “no Internet,” it also means that I have no mail service as well as no Internet.

Thank you so much for your help.

20

I think the dinosaur is part of Chrome… But, as I do not use that I am just guessing

How is Chrome behaving otherwise ?

OK lets reset the DNS

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CMD: netsh advfirewall reset CMD: netsh advfirewall set allprofiles state ON CMD: ipconfig /flushdns CMD: netsh winsock reset catalog CMD: netsh int ip reset c:\resetlog.txt CMD: ipconfig /release CMD: ipconfig /renew CMD: netsh int ipv4 reset CMD: netsh int ipv6 reset RemoveProxy: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that