|
Post by fnulnu on May 14, 2015 21:20:27 GMT -8
After quite some time trying to figure out this problem, I was directed by a friend of mine to this forum. I need help to remove this malware that has been bothering me. Every time I started Google Chrome, Norton would give notification about System Infected: Fake Plugin Activity 2. Then I checked on my extension, there are two unwanted extensions that I did not know where it came from. The two are from Sale Plus. Please guide me through the whole process. To start, I have read your post in this link: qmalwareremoval.freeforums.net/post/28948For information, my computer runs on Windows 8.1 64-bit. Please let me know if there is/are extra information you would need to start this off. Thank you!
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 14, 2015 21:57:46 GMT -8
Read Slowly and all of it.Please download Farbar Recovery Scan Tool 64bit and save it to your Desktop. Place FRST64.exe onto your desktop from where ever it downloaded to. IF IT IS NOT ON THE DESKTOP (YOU DID NOT DOWNLOAD DIRECTLY TO DESKTOP), THEN RIGHT CLICK ON THE DOWNLOADED FILE AND SELECT CUT. FIND A BLANK SPOT ON YOUR DESKTOP AND RIGHT CLICK ON IT, SELECT PASTE AND THE FILE WILL BE ON THE DESKTOP. Thank You (this is very important later on)! Start FRST64 that is on your Desktop by right clicking on it and selecting "Run as Administrator..." .The tool will start to run. When the tool opens click Yes to disclaimer. (if it does) Press Scan button. It will make two logs ( FRST.txt and addition.txt) on your Desktop. Please attach the logs in your reply back. Or open the logs in notepad and copy the logs and paste back in a message as a reply. ( Ask if you don't know how to do either of these). Notes:If your Security software blocks the running or download of FRST / FRST64, please disable the security software or make an exception for this file. FRST is updated very frequently and is safe to run but because of the frequent changes (to keep up with newest malware techniques) most Security Software does not approve of the unknown file. Right now the forum will not allow one to attach the Addition.txt file so please use wikisend.com or pastebin.com to upload the file and then post the download link here in your reply post.
|
|
|
Post by fnulnu on May 15, 2015 16:56:28 GMT -8
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 16, 2015 21:05:49 GMT -8
FIRST >>>>Please go to START (Windows Orb) >> Control Panel >> Uninstall a Program or Programs and Features and remove the following (if listed): Google Chrome HavrePorterTo do so, left clicking on the name once and then click Uninstall/Change at the bar above the list window. Follow the prompts of the uninstaller BUT please read carefully any questions it asks before answering; some uninstallers will try and deceive you into keeping the software. SECOND >>>>Open notepad by pressing the Windows Key + R key, typing notepad in the Run box and pressing Enter. Please copy the contents of the quote box below. To do this highlight the contents of the box and right click on it and select copy. Paste this into the open notepad. Save it to your desktop as fixlist.txtNOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work. NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating systemStart FRST that is on the desktop by right clicking on file and selecting "Run as Administrator..." and press the Fix button just once and wait. If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run. When finished FRST will generate a log on the Desktop (Fixlog.txt). Please post it to your reply. LAST >>>>Chrome -> The malware has changed the version of Chrome to a less secure type. The only way to fix this is to uninstall Chrome and re-install it. 64 bit: Reboot your machine and then go to here and download a fresh installer for Chrome. Double click on the downloaded file to install the latest version of Chrome. Your settings and extensions should be added automatically; please let me know if there are any errors with this.
|
|
|
Post by fnulnu on May 16, 2015 21:47:04 GMT -8
Thank you for the reply. I have deleted Google Chrome, but somehow I cannot uninstall the HavrePorter. Notification window came up and it says "There was a problem starting C:\PROGRA~2\QUICKS~1\QUICKS~1.DLL" and "The specific module could not be found." How should I proceed?
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 16, 2015 21:59:40 GMT -8
Skip the uninstall of HavrePorter and proceed with the rest of the post. The Fixlist should handle what is visible of HavrePorter and other scanners will collect / remove the remains.
|
|
|
Post by fnulnu on May 17, 2015 0:12:50 GMT -8
Thank you. I have finished the second step. Should I post the fixlog.txt first and wait for your reply before installing the new Google Chrome? In any case, this is the link to the fixlog. wikisend.com/download/965046/Fixlog.txtI have not start the last step, as I want to wait for your reply first before I do anything wrong.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 17, 2015 18:22:03 GMT -8
Go ahead and install Chrome; the fixlist run was fine. Good job!! Read carefullyDownload Adwcleaner from here to your desktop and run a scan. You may have to right click adwcleaner.exe and choose "Run as Administrator" from the menu. (Click the Scan button to start the scanning). It will create a log after it is finished scanning. If not (or if it just asks for you to uncheck what you don't wanted deleted), there is a LogFile button in the middle of the main window; click that and it will make the log file. Once the report file is made, you can leave AdwCleaner running (but don't delete anything yet) or you can close it down (we can always get a fresh scan done before the deletions). ONE SCAN ONLY, PLEASEAttach or paste the log back here for review and further instructions. Thanks.
|
|
|
Post by fnulnu on May 17, 2015 19:00:28 GMT -8
Here is the log: wikisend.com/download/953164/AdwCleaner[R0].txtHowever, I have downloaded Google Chrome like you mentioned. When Google Chrome started to run, the fake plugin activity 2 still pops out. My question is, do I have to restart the computer before downloading and installing Google Chrome? Or does the restart made by FarBar on the second step of your second reply is enough? I am afraid I did something wrong or missed a step.
|
|
dbrisen
Malware Removalists
Posts: 3,688
|
Post by dbrisen on May 18, 2015 10:32:48 GMT -8
You did nothing wrong; we will get the remains of the malware with these additional scanners. FIRSTPlease run AdwCleaner again (if you don't have it running from the last scan) and a) Click the Scan Button and wait for the scan to finish, (If Adwcleaner has been left open at the finish of the scan this is already done). b) Make sure in your case all the items under each TAB are ticked / checked then. c) Click the Clean Button and Adwcleaner will process all the items ticked / checked and then may ask for the system to be restarted. d) It should create a new log afterwards (with S0 in the name). e) Please attach or copy the log into your reply here. SECONDMalwarebytes' Anti-MalwarePlease download the latest version of Malwarebytes' Anti-Malware from Here. The version you have is not the latest; this will update it to the latest released version. Double Click on the mbam-setup.exe file to install the application. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. When the main screen opens, if the database is out of date, you can click on the Fix Now banner or the Update Now link Once the program has loaded and updated, select " Scan Now >>" to start the scan. The scan may take some time to finish, so please be patient. If any malware is found, you will be presented with a screen like the one below. Please click on the Save results > link in the bottom right hand corner and select the Text file(*.txt) from the dropdown list. I would suggest you save the file on your desktop (as we need the report attached here for review and it is easy to find on the desktop). After you have saved the report file, return to the Potential Threats Detected page and click on Cancel. You can close MBAM after that. Please attach the report file to a post here; I will review the file and script what needs to be removed.
|
|