system
June 14, 2015, 7:46pm
1
I’ve seen a few others post about this malware/virus/whatever it is. I went ahead and ran the suggested logs and attached them for you to review. My Google Chrome has been infected with this problem. I’m a web developer and use my Chrome at home as well as at work (since they are linked) and am concerned about what can be tracked from this malware/virus. Please advise on how I can get rid of this infection asap.
Thank you.
Hello,
Please follow this topic and attach required reports
https://forum.avast.com/index.php?topic=53253.0
system
June 14, 2015, 7:51pm
3
Yes I’ve already done so.
Eddy
June 14, 2015, 8:06pm
4
Good. Let me know when you uninstall Iobit.
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Scan with Farbar Recovery Scan Tool
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Make sure that Addition option is checked.
[*]Press Scan button and wait.
[*]The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt .
Please include their content into your next reply.
system
June 14, 2015, 9:52pm
6
Ok, I removed all IOBit software (had no idea that they had been using Malwarebytes IP) and re-ran the service. I have attached the output.
So, it happens only in Chrome?
system
June 14, 2015, 10:40pm
8
Yes, but that’s also the only browser I really use at the moment.
There are a lot of extensions in your Chrome, are you familiar with all of them?
system
June 14, 2015, 10:41pm
10
Haha, yes. I use many of them developing.
I think one of them is culprit.
system
June 15, 2015, 1:02pm
12
I’ve had the same set of extensions for almost a year now, some more than a year.
Can you try to reinstall Chrome?
system
June 15, 2015, 1:42pm
14
Yeah, I’ll give that a shot.
Eddy
June 15, 2015, 1:52pm
15
For TwinHeadEagle,
IObit is still not removed.
The below code is what my tool created as fixlist:
Start
CreateRestorePoint:
Closeprocesses:
Emptytemp:
CHR Profile: C:\Users\Julie\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Ebates Cash Back Button) - C:\Users\Julie\AppData\Local\Google\Chrome\User Data\Default\Extensions\chhjbpecpncaggjpdakmflnfcopglcmi [2015-05-25]
2015-06-11 21:28 - 2015-06-11 21:28 - 28927512 _____ (IObit ) C:\Users\Julie\Downloads\IObit-Malware-Fighter-Setup.exe
2015-06-07 01:38 - 2015-06-07 01:38 - 98746368 _____ C:\WINDOWS\system32\config\SOFTWARE.iobit
2015-06-07 01:38 - 2015-06-07 01:38 - 73707520 _____ C:\WINDOWS\system32\config\COMPONENTS.iobit
2015-06-07 01:38 - 2015-06-07 01:38 - 00200704 _____ C:\WINDOWS\system32\config\DEFAULT.iobit
2015-06-07 01:38 - 2015-06-07 01:38 - 00061440 _____ C:\WINDOWS\system32\config\SAM.iobit
2015-06-07 01:38 - 2015-06-07 01:38 - 00028672 _____ C:\WINDOWS\system32\config\SECURITY.iobit
2015-06-07 01:34 - 2015-06-07 01:34 - 00000000 ____D C:\WINDOWS\Tasks\ImCleanDisabled
2015-06-07 01:32 - 2015-06-07 01:33 - 48076576 _____ (IObit) C:\Users\Julie\Downloads\advanced-systemcare-setup.exe
2015-06-04 20:58 - 2015-06-04 20:58 - 00000291 _____ C:\Users\Julie\Downloads\temp_file-[LE.mkv][movreel].xspf
2015-06-04 20:47 - 2015-06-04 20:47 - 00000368 _____ C:\Users\Julie\Downloads\temp_file-[The.Babadook.2014.720p.BluRay.x264.YIFY.mp4][180upload].xspf
2015-06-03 22:28 - 2015-06-03 22:28 - 00000335 _____ C:\Users\Julie\Downloads\temp_file-[The.Canal.2014.720p.WEB-DL.mkv][movreel].xspf
2015-06-03 22:25 - 2015-06-03 22:25 - 00000362 _____ C:\Users\Julie\Downloads\temp_file-[The.Canal.2014.720p.BluRay.x264.YIFY.mp4][180upload].xspf
2015-06-03 21:04 - 2015-06-03 21:04 - 00000338 _____ C:\Users\Julie\Downloads\temp_file-[Teh.Canal.2014.720p.WEB-DL.mkv][movreel].xspf
2015-06-03 20:27 - 2015-06-03 20:27 - 00000305 _____ C:\Users\Julie\Downloads\temp_file-[c4n4l72WBG.mkv][movreel].xspf
2015-05-28 20:46 - 2015-05-28 20:47 - 15889184 _____ (IObit) C:\Users\Julie\Downloads\iobituninstaller.exe
2015-06-14 17:38 - 2015-03-26 17:38 - 00000000 ____D C:\Program Files (x86)\IObit
2015-06-14 17:38 - 2015-03-26 17:37 - 00000000 ____D C:\Users\Julie\AppData\Roaming\IObit
2015-06-07 11:52 - 2015-03-26 17:38 - 00000000 ____D C:\ProgramData\IObit
ShellIconOverlayIdentifiers: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive1] -> {F241C880-6982-4CE5-8CF7-7085BA96DA5A} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive2] -> {A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} => No File
ShellIconOverlayIdentifiers-x32: [ SkyDrive3] -> {BBACC218-34EA-4666-9D7A-C78F2274A524} => No File
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-21-3409106345-1983908828-2916231754-1002 -> {A8A22C14-B32C-4E36-82DA-426D521E9363} URL =
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: ipconfig /flushdns
CMD: ipconfig /release
CMD: ipconfig /renew
CMD: netsh winsock reset catalog
CMD: bitsadmin /reset /allusers
End
system
June 15, 2015, 2:22pm
16
How do I remove those remaining files?
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
Fix with Farbar Recovery Scan Tool
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[B] This fix was created for this user for use on that particular machine.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
https://sites.google.com/site/cannedfixes/home/hosted-images-formatting/icon_exclaim.gif
[/B]
Download attached fixlist.txt file and save it to the Desktop:
Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!
[*]Right-click on
https://sites.google.com/site/cannedfixes/farbar-recovery-scan-tool/FRST.gif
icon and select
https://sites.google.com/site/cannedfixes/home/hosted-images-tools/RunAsAdmin.jpg
Run as Administrator to start the tool.
(XP users click run after receipt of Windows Security Warning - Open File).
[*]Press the Fix button just once and wait.
[*]If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
[*]When finished FRST will generate a log on the Desktop, called Fixlog.txt .
Please attach it to your reply.
system
June 15, 2015, 9:21pm
18
Here ya go, hope this worked.
How is the situation now?
system
June 16, 2015, 12:37pm
20
So far so good. I uninstalled and reinstalled Chrome as you suggested (don’t know why I didn’t try that already) and haven’t had any unwanted popups yet.