Can't get rid of Reimage Repair / links-yahoo.com malware

Status
Not open for further replies.

davesp

Honorable
Dec 10, 2015
26
0
10,540
Hi,

When I browse (Chrome, PC, Win 10) I'm constantly getting notifications from Malwarebytes Anti-Malware that malicious websites are being blocked. Three domains are being blocked in particular: okw.portshilwalking.com, fjh.prefecturehorticulturists.com, and nlw.underwearliftoff.com. See example below:

malware_popup.png


Also when I browse, sometimes a "Reimage Repair - Speed up my PC" or a "links-yahoo.com" tab would open inviting me to download a Windows 10 repair tool, or to perform a search.

Finally, some random words on a website would appear blue with a green pop-up icon next to them, and hovering over them would show an ad related to the highlighted word. See example below:

popupmal.png


I don't know how I got infected and I can't remove the infection. I tried Malwarebytes, AdwCleaner, HitmanPro, RogueKiller, CCleaner and Windows Defender (in that order) but nothing helps. AdwCleaner was able to find some cookies and removed them. RogueKiller found some registry abnormalities and suspicious tasks. I think when it tried repairing the tasks it wasn't able to do it, because for the 3 tasks it found, it updated their status to "ERROR [1]", but I wasn't able to find anything beyond this error label (click here to see the full log). I also tried running all of them in Safe Mode.

Any advice?

Thanks,
Dave

Edit: Also sometimes I would see this VNPApps pop-up on websites:

vnpmal.png
 
Solution
Problem sounds like chrome is resyncing infected files you had previously so no matter how many time you run AdwCleaner or Hitmanpro, it will come back, Do a complete reset of chrome and clear everything. Then try running the tools.

davesp

Honorable
Dec 10, 2015
26
0
10,540


Thanks, seems to have worked.

I cleared my history and reset Chrome, then entered Safe Mode, ran Malwarebytes, AdwCleaner and HitmanPro, which all found nothing. Then I ran RogueKiller, which found the same threats as before, and repaired them as before (with the ERROR[1] thing). But now everything seems to be ok.
 
Status
Not open for further replies.