Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

googleupdater.exe virus, icons and files hidden


  • Please log in to reply
3 replies to this topic

#1 Captain.

Captain.

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 14 September 2011 - 01:28 AM

Hi, I have used bleepingcomputers guide on how to remove a rogue anti-virus program and was really satisfied with the results. This time, I have a different problem.

I was browsing using firefox and have an add-on called "snap-links" on it. This allows me to open multiple links using my right click button. However, when I was attempting to do this I opened every single link on a page. Firefox crashed about 5 minutes later, and I thought it was just a regular crash. When I tried to restart it "googleupdater.exe" showed up asking for verification.

At this point I knew I was infected because it was by an unknown publisher. I clicked cancel, and another one popped up and so on. So I opened up task-manager and the googleupdater.exe was minimized and I ended its process. I googled my problem but firefox crashed yet again. This time it closed everything, changed my theme/style to windows basic for a second (at least seemed like it) and everything was hidden but my wallpaper, and then reverted back to Windows Areo. I noticed my FireFox icon on my desktop was removed, along with all the items on my quicklaunch toolbar. I continued to Google what it was, and firefox crashed one more time.

This time several dialogue boxes popped up (Talking 50+)saying my harddrive has failed and it asked me to scan or "delay" my scan. So I once again opened up task manager and ended the process and all dialogue boxes closed. I should note that all these dialogue boxed look like bad jpg pictures, and not actual boxes. (EDIT : I just looked under Program Data, and sorted by Date Modified again and the process which launched the dialogue boxes is here. It is called ixgPHgbBMPf.exe. This was the process I ended. The icon for is its a red circle with an X in it. Furthermore, when scanning with either ESET or Malware Bytes, both say it is not a virus. I have deleted it, and have emptied my recycle bin).I started firefox again, and googleupdater.exe showed up again, this time it was harder to end the process but I managed. Now everything was hidden on my desktop, I had very little processed in windows task manager running, and many other things on my computer are hidden. They are not deleted as my harddrive still has the same amount of space taken up.

I have since disconnected the infected computer from the internet and am typing this from a laptop. I checked systems32 and sorted everything by last modified. Only two files were updated that day and just 3 minutes prior from the time the whole mess started. One is called "7b296fb0-497e-b012-9c450e173247-2p-0.c7483456-a289-f39d-8115-601632d005a0" and the other called "7b296fb0-497e-b012-9c450e173247-2p-1.c7483456-a289-f39d-8115-601632d005a0". The only thing I have to try and resolve this is run the free version of Malware bytes, but upon scanning the above two things it said it wasn't a virus. A quick-scan provided no results either. ESET NOD32 didn't bring up any results either.

I do not want to reformat etc. because I do not want to lose my data. My last backup of files was from two weeks ago, but my last restore point is from a month and a half ago. Also, I have not shutdown the computer yet in fear of the virus getting worse. Sorry if this post contains unnecessary information as well.

Edited by Captain., 14 September 2011 - 01:39 AM.


BC AdBot (Login to Remove)

 


#2 Gunto

Gunto

    Bleepin' Reject Phoenix


  • Malware Response Team
  • 1,284 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:North Las Vegas, Nevada, USA
  • Local time:05:11 PM

Posted 14 September 2011 - 03:10 AM

Try running a full scan with SUPERAntiSpyware on the infected computer. Be sure it's fully updated, and let it run unhindered.

Beautiful avatar by Plumbeck!

 

Bury me in honor; when I'm dead and hit the ground, a love back home, it unfolds...


#3 Captain.

Captain.
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:11 PM

Posted 14 September 2011 - 07:36 AM

Yep, that seems to have solved it. However, I updated Malware Bytes instead and did a quick scan for the interest of time. I plan to run a full scan now.

The following were found/deleted:

Vendor: Trojan.FakeAlert
Category: File
Item: c:\users\owner\AppData\Local\Temp\p5tm1qbi6dss92.exe.tmp
Quarantined and deleted successfully.

Vendor: Trojan.FakeAlert
Category: File
Item: c:\users\owner\AppData\Local\Temp\3570.tmp
Quarantined and deleted successfully.

Vendor: Trojan.FakeAlert
Category: File
Item: c:\users\owner\AppData\Local\Temp\googleupdate.exe
Quarantined and deleted successfully.

Vendor: Trojan.FakeAlert
Category: File
Item: c:\users\owner\local settings\temporary internet files\Content.IE5\HF60QFU6\contacts[1].exe
Quarantined and deleted successfully.

I should note upon startup my files are still hidden. On top of this, when I started my computer after malware bytes prompted me to it said this "Catalyst Control Centre: Host application has stopped working". I think this is because everything is hidden and this was posted on Microsofts answer site:

This may be the solution you are seeking.

I recently removed the Vista Recovery Center malware from another one of our company laptops. It has ATI graphics installed. This malware hides most of the files on the PC in an attempt to fool you into thinking that your PC is really damaged like it is reporting. Removing the malware does not undo the hidden aspects. In Vista, the c:\Users\"your profile name (usually Owner)" folder contains the AppData subdirectory that the Catalyst Control Center needs to access in order to function. When this directory is hidden, then CCC cannot locate the necessary files to launch. To fix this issue, I use the following steps.

Navigate to c:\ and right click on Users. Select properties. Under the General tab, look at the bottom for the Hidden selection. If there is not a check mark in the box, place a check mark there. Hit apply, select yes to apply to all subdirectories. If you clicked ok, you may notice that it disappeared from the right pane once it finishes. It should still be listed under the tree on the left. Right click on it again. This time remove the check mark and apply to all subdirectories. Once it has finished, your files in the Users directory should reappear and Catalyst Control Center should function normally again. This has worked in all cases that I have encounterd so far. Hopefully this works for you as well..


I did not do this, as it may not be right for me. In the past when viruses hid my files, I ran the unhide application from this site, should I run it again now?

Edited by Captain., 14 September 2011 - 08:22 AM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,924 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:11 PM

Posted 16 September 2011 - 04:20 PM

This infection family will also hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.



I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


NOTE: In some instances if no malware is found there will be no log produced.





Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users