Trojan virus won't go away. Chrome Talk.Gadget.Google - JS:ScriptPE-inf [Trj]

I think I have done everything I possibly can to get rid of this virus I downloaded (malwarebytes and spybot run in safe mode, command prompt techniques I found on YouTube, etc.) and I can’t seem to get avast to stop popping up this alert while using Chrome. I’ve even uninstalled Chrome and re-installed it.

I’m using the most up-to-date free version of Avast.

I’m out of ideas. Any help would be greatly appreciated.

Here’s what the alert says.


http://s1.postimg.org/4ahuu0jvf/Avast_Talk_Gadget_Google_Trojan_Virus_Alert.jpg


http://s1.postimg.org/k7gmqqc9n/Avast_Talk_Gadget_Google_Trojan_Virus_Alert_Box.jpg

Get rid of SpyBot, it’s useless. And running any anti-whatever isn’t very effective in safe mode.

Follow the instructions here https://forum.avast.com/index.php?topic=53253.0
Post your logs here in this thread. I will contact a malware removal expert.
Please have patience it could be a while.

Thanks Para-Noid.

I’ll do so and be patient.

Thank you for your help.

Do you have chrome synch enabled ?

Here are the logs.

I keep getting an “Avast! Anti rootkit has stopped working” message when running the aswMBR program though so I don’t have that log.

If you definitely need that log, and have any insight to why I keep getting that error let me know.

But hopefully these three logs are enough to figure it out.

Thanks again.

essexboy

I am signed into Chrome, and I believe it does sync bookmarks, apps, extensions, settings etc.

Is that what you’re referring to?

Thanks.

Yes that is it, do not synch the following or it will just come back again :

apps
extensions
settings

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

SearchScopes: HKLM-x32 -> DefaultScope {AF596DD4-7D01-4CAB-9CA1-C8E8BAFEDA9F} URL = SearchScopes: HKU\S-1-5-21-1475645083-3395704770-2603585893-1005 -> {AF596DD4-7D01-4CAB-9CA1-C8E8BAFEDA9F} URL = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3310511&CUI=UN15352417461241118&UM=2 Toolbar: HKU\S-1-5-21-1475645083-3395704770-2603585893-1005 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File CHR HKU\S-1-5-21-1475645083-3395704770-2603585893-1005\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - No Path CHR HKLM-x32\...\Chrome\Extension: [bpegkgagfojjbcpkihigfmkojdmmimdf] - No Path CHR HKLM-x32\...\Chrome\Extension: [ehgldbbpchgpcfagfpfjgoomddhccfgh] - No Path 2014-12-17 08:13 - 2014-12-17 11:47 - 00000000 ____D () C:\Program Files (x86)\YaoutuubeAdiBloCke 2014-12-17 08:13 - 2014-12-17 08:13 - 00000000 ____D () C:\ProgramData\16169725370983171524 2014-12-17 08:11 - 2014-12-17 08:11 - 00000000 ____D () C:\ProgramData\jdimoipikediobfgaolddeekhjndlfib C:\Windows\Tasks\At1.job C:\Program Files (x86)\Uniblue Task: {08AFC3FA-D7D5-4A54-AE3A-7E843C60CFB7} - System32\Tasks\{E9149E04-16E5-4AEF-B144-9E09C91101E1} => pcalua.exe -a D:\Downloads\Uniblue\RegistryBooster.exe -d D:\Downloads\Uniblue Task: {19080476-EEFE-4C36-9CB5-A6D0E723FC53} - System32\Tasks\Uniblue SpeedUpMyPC Nag => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION Task: {5B4A45E5-FCCA-45F7-BF07-9768E63D141C} - System32\Tasks\At1 => C:\Users\Goob\AppData\Local\Temp\mettask.exe <==== ATTENTION Task: {8E27E238-6B04-4C27-8604-CB692D7CA503} - System32\Tasks\spmonitor => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe [2013-05-21] (Uniblue Systems Ltd) <==== ATTENTION Task: {AC02BAF1-A367-4096-ABD8-F9FAA26E9ECE} - System32\Tasks\FreeHDSport TV-codedownloader => C:\Program Files (x86)\FreeHDSport TV\FreeHDSport TV-codedownloader.exe <==== ATTENTION Task: {E697F3DC-6507-477C-AFF2-FD2CFD4D5630} - System32\Tasks\Uniblue SpyEraser => C:\Program Files (x86)\Uniblue\SpyEraser\SpyEraser.exe Task: {F86109D0-48A3-4C3D-AE85-5347555911E6} - System32\Tasks\Uniblue SpeedUpMyPC => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION Task: C:\Windows\Tasks\At1.job => C:\Users\Goob\AppData\Local\Temp\mettask.exe Task: C:\Windows\Tasks\spmonitor.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe <==== ATTENTION Task: C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION Task: C:\Windows\Tasks\Uniblue SpeedUpMyPC.job => C:\Program Files (x86)\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe <==== ATTENTION Task: C:\Windows\Tasks\Uniblue SpyEraser.job => C:\Program Files (x86)\Uniblue\SpyEraser\SpyEraser.exe C:\Users\Goob\AppData\Local\Temp\_MEI39802 C:\Users\Goob\AppData\Local\Temp\mettask.exe AlternateDataStreams: C:\Users\Goob\Cookies:uN5lc6pJlo6VDjmGeOhf AlternateDataStreams: C:\Users\Goob\AppData\Local\Temp:7Voom1FkrIBh22B9 CreateRestorePoint: EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

THEN

Please download AdwCleaner by Xplode onto your desktop.

[*]Close all open programs and internet browsers.
[*]Double click on AdwCleaner.exe to run the tool.
[*]Click on Scan.
[*]After the scan is complete click on “Clean”
[*]Confirm each time with Ok.
[*]Your computer will be rebooted automatically. A text file will open after the restart.
[*]Please post the content of that logfile with your next answer.
[*]You can find the logfile at C:\AdwCleaner[S1].txt as well.

Thanks essexboy

Here’s the log from the fix.

I’ll do the AdwCleaner now as well.

Here’s the adwcleaner log.

Also, I noticed my volume controls on my keyboard are not working. I’ve run into this before though, and I believe it was that I had to re-install some drivers for my computer.

Does that sound about right? As it happened after I did the fixlist.txt step.

Thanks.

Checking the fix nothing related to keyboard actions was removed so that is a bit weird… Is chrome behaving itself now ?

Darn.

I thought it was doing well and fixed, until I just restarted, and now it’s showing up again.

What’s next :-\

Did you delete the synch data, if not then every time you start chrome it will come back

I would highly recommend that you delete all synch data and then run a fresh FRST scan

Thanks again essexboy.

I have deleted my sync data, and have run a new frst scan.

I have attached the frst.txt and the addition.txt.

Let me know if I need to do a fixlist again.

Thanks.

A minor tidy up now, once done could you let me know if the alerts have ceased

CAUTION : This fix is only valid for this specific machine, using it on another may break your computer

Open notepad and copy/paste the text in the quotebox below into it:

CreateRestorePoint: CHR HKLM\SOFTWARE\Policies\Google: Policy restriction <======= ATTENTION HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Search_URL = SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = BHO-x32: No Name -> {65DEE40A-3E93-4cae-9F98-B8E06DCEE2BF} -> No File AlternateDataStreams: C:\Users\Goob\Cookies:uN5lc6pJlo6VDjmGeOhf EmptyTemp: CMD: bitsadmin /reset /allusers

Save this as fixlist.txt, in the same location as FRST.exe

https://dl.dropboxusercontent.com/u/73555776/FRSTfix.JPG

Run FRST and press Fix
On completion a log will be generated please post that

Again I thought it was working well, until I tried signing into my work gmail account, where the chat has been having problems connecting since the infection.

So I noticed there are some error codes going on there, which I have taken a screenshot of.

Once the gchat stops trying to sign in, the alerts stop. Maybe that’s why it says talkgadget.google for the url of the alert?

I pray that I didn’t infect my work account. Do you have any insight on how to fix this?

The errors are 213, 215, 216, 202

Thank you.


http://s23.postimg.org/p0qi53q53/gmail_chat_errors.jpg

p.s. I’ve also attached the fixlog.txt from the new frst fix.

Are you using hangouts as well, as there has been a problem with this for the last few weeks

Go to your extensions in settings, and remove hangouts. Then add it back.

Ok, I removed Hangouts, and selected “revert to old chat” in the chat options in the email window. (there wasn’t a “hangouts” extension in the chrome settings/extensions list).


http://s27.postimg.org/z7l5hpnsf/Google_Hangouts_Revert_To_Old_Chat.jpg

Then I let it go back to the old chat, and then closed chrome. Then I restarted chrome, and opened my work email again. Then I selected “try the new hangouts” to re-install hangouts.

And it took a minute, but it re-installed successfully and didn’t trigger an alert from Avast.

So hopefully that did it.

I’ll let you know if it comes back, but I think we may have got it fixed!

That was so scary and frustrating as it took a couple days, and I LIVE on my computer.

Thank you so much essexboy, Para-Noid, and the Avast community!

You guys are awesome, and I have been, and always will be an Avast guy!

Thanks for the screenshot as I do not use Chrome

When you are happy let me know and I will remove my tools

You’re welcome essexboy, I think screenshots are the best.

What do you mean you’ll remove your tools? Just them downloaded on your machine? Should I remove FRST, adwcleaner, aswmbr etc. from my computer as well?

Thanks again.

No there is a small tool that I use that removes all the other tools, resets restore points and system settings back to as they were before you used them :slight_smile: