Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cant get rid of CaheuapMei 5.1 Chrome extension.


  • Please log in to reply
10 replies to this topic

#1 ScrewScorpionSaver

ScrewScorpionSaver

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 09:50 AM

CaheuapMei 5.1

 

It shows up again every time I restart Chrome. It turns certain text in to ad links and does other ads. I searched Google and nothing came up. 

 

Can you help? 

 

I already tried rkill, MalwareBytes, JRT, and Hitman pro. 

 

Windows 7



BC AdBot (Login to Remove)

 


#2 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 10:05 AM

I just ran JRT again and nothing came up in the log. 



#3 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 10:09 AM

Some of the ads say "Ads by CheapMe"



#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,366 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:06:03 AM

Posted 11 February 2014 - 12:32 PM

Please download AdwCleaner and run it.
 
An image like the one below will open, click on Scan.
 
adwcleaner11_zps48314883.png
 
Once the search is complete a list of the pending items will be displayed.  If you see any which you do not want removed, remove the check mark next to it.  
 
Click on Clean to remove the selected items.  
 
You will receive a message telling you that all programs will be close so that the infections can be removed.  Click on Ok.
 
When cleaning process is complete a log of what was removed will be presented.  Please copy and the paste this log in your next post.
 
 

Please download Malwarebytes Anti-Malware.
 
1)  Double-click on mbam-setup.exe, then click on Run to install the application, follow the prompts through the installation.
 
2)  When the installation has finished, make sure you leave both of these checked:
 
    Update Malwarebytes' Anti-Malware
 
    Launch Malwarebytes' Anti-Malware
 
Then click on Finish.
 
3)  MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. 
 
4)  Click on perform Quick Scan, then click on the Scan button.
 
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
 
5)  The scan will now begin, this may take some time to complete so please be patient.
 
6)  When the scan is finished click on Show Results to display all objects found.
 
7)  Click OK to close the message box and continue with the removal process.
 
8)  Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
 
Make sure that every item shown in the results has a check mark in the box next to it, then click on Remove Selected.
 
9)  When removal is completed, a log will open in Notepad.
 
This log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of the log in your next post, then exit MBAM.
 
Important:  If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Reagardless if prompted to restart the computer or not, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
 
Please copy the Malwarebytes log and paste it in your next post.
 
To locate this file right click on the Start orb and choose Open Windows Explorer, then click on C: drive.
 
When the C: drive opens click on the following:  ProgramData, Malwarebytes, Malwarebytes' Anti-Malware, Logs.  
 
If there is more than one log, choose the log with the date that you ran scan that I requested.
 
 
If there are a large number of items found you can go into Settings and click on Scanner Settings to change the setting in Action for potentially unwanted programs (PUP) to Show in results list and check for removal.
 
Malwarebytessettings_zpsb9b50638.png

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 11 February 2014 - 05:17 PM

Also look in the Chrome Plug ins /Add ons for things you don't recognize or have Cheap me and disable or remove.

HOW TO


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 06:32 PM

Boopme: I do that every time I start Chrome. It is fine until I restart and it always returns. 

 

Dc3: I had ADWCleaner but it seemed to disappear a while back. I will re-download and post soon. 


Edited by ScrewScorpionSaver, 11 February 2014 - 06:41 PM.


#7 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 06:33 PM

Here is the AdwCleaner Log:

 

 

# AdwCleaner v3.018 - Report created 11/02/2014 at 18:32:37
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : AWDesktop - AWDESKTOP-HP
# Running from : C:\Users\AWDesktop\Downloads\AdwCleaner (1).exe
# Option : Scan
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v11.0.9600.16428
 
 
-\\ Mozilla Firefox v26.0 (en-US)
 
[ File : C:\Users\AWDesktop\AppData\Roaming\Mozilla\Firefox\Profiles\cg62vq0j.default\prefs.js ]
 
 
-\\ Google Chrome v
 
[ File : C:\Users\AWDesktop\AppData\Local\Google\Chrome\User Data\Default\preferences ]
 
 
*************************
 
AdwCleaner[R0].txt - [29629 octets] - [30/11/2013 18:29:27]
AdwCleaner[R1].txt - [1381 octets] - [06/12/2013 23:28:57]
AdwCleaner[R2].txt - [1227 octets] - [07/12/2013 08:11:49]
AdwCleaner[R3].txt - [1273 octets] - [09/12/2013 10:27:15]
AdwCleaner[R4].txt - [1578 octets] - [21/12/2013 13:49:13]
AdwCleaner[R5].txt - [3227 octets] - [01/01/2014 13:32:38]
AdwCleaner[R6].txt - [1757 octets] - [01/01/2014 21:07:01]
AdwCleaner[R7].txt - [1825 octets] - [02/01/2014 14:35:14]
AdwCleaner[R8].txt - [1252 octets] - [11/02/2014 18:32:37]
AdwCleaner[S0].txt - [29853 octets] - [30/11/2013 18:30:47]
AdwCleaner[S1].txt - [1421 octets] - [06/12/2013 23:30:21]
AdwCleaner[S2].txt - [1250 octets] - [07/12/2013 08:14:23]
AdwCleaner[S3].txt - [1298 octets] - [09/12/2013 10:28:18]
AdwCleaner[S4].txt - [1604 octets] - [21/12/2013 13:50:20]
AdwCleaner[S5].txt - [3200 octets] - [01/01/2014 13:34:23]
AdwCleaner[S6].txt - [1781 octets] - [01/01/2014 21:12:24]
AdwCleaner[S7].txt - [1847 octets] - [02/01/2014 14:36:46]
 
########## EOF - C:\AdwCleaner\AdwCleaner[R8].txt - [1793 octets] ##########


#8 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 06:41 PM

Here is the MBAM log:

 

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org
 
Database version: v2014.02.11.06
 
Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 11.0.9600.16476
AWDesktop :: AWDESKTOP-HP [administrator]
 
2/11/2014 8:51:38 AM
mbam-log-2014-02-11 (08-51-38).txt
 
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 244733
Time elapsed: 13 minute(s), 33 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 1
HKCU\Software\AppDataLow\Software\Search Protection (PUP.Optional.MyEmoticons.A) -> Quarantined and deleted successfully.
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 2
C:\Users\AWDesktop\AppData\Local\Temp\{2F78EE81-3822-4B09-A9E2-7000F49BCC77}\Addons\assistant_v3.exe (Trojan.SProtector) -> Quarantined and deleted successfully.
C:\Users\AWDesktop\Local Settings\Temporary Internet Files\Content.IE5\S88Q9ZQP\sp32_64_862868193063853271[1].exe (Trojan.SProtector) -> Quarantined and deleted successfully.
 
(end)


#9 MalwareAbort

MalwareAbort

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:03 AM

Posted 11 February 2014 - 07:24 PM

Hi ScrewScorpionSaver,

 

 

I have dealt with this problem before with other friends of mine and I can hopefully assist you.

 

Only continue with the following of the problem is one of the following:

  • You have a google chrome extension that can not be removed.
  • You have an extension that can be removed BUT reinstalls itself.
  • Extension was installed by enterprise google chrome.

 

*NOTICE*

 

The advice I am going to give you requires that you make some modifications that should if done right remove the infection.

 

Message to Moderators: If this tutorial breaks any rules please PM me and or feel free to change my post, This is the only known way to combat the infection so far.

 

Treatment:

 

First we MUST backup your registry so that any changes that we make can be reverted.

 

Backup: Tweaking.com http://www.majorgeeks.com/mg/getmirror/tweaking_com_registry_backup,1.html

 

  • Download and run the program.
  • Once open in the backup tab make sure that all the check boxes are checked for the backup process.
  • Click on the big backup button and wait until it finishes.

 

Next open google chrome and navigate to chrome://extensions/

 

  • If the ID of the extension is not shown make sure and check Developer Mode in the top right hand corner.
  • Copy that ID and then continue to the next step.

 

WARNING: The following step requires you making changes to the registry. IF YOU DO NOT FEEL COMFORTABLE MAKING THESE CHANGES WAIT FOR A MOD TO CREATE A SCRIPT FOR YOU.

 

Neither Bleepingcomputer.com or I are responsible for damages to your computer.

 

Open regedit.exe

 

  • To do so Press the Windows Key + R and type in
  • regedit.exe

 

Next click on edit in Regedit and click find next

 

  • Paste the ID copied from chrome into the search box.
  • Click on find next until you find that id in a folder called "ExtensionInstallForcelist "
  • IF the ID is not found then you do not need to modify the registry to continue.
  • IF the ID is found right click on it and select delete ONLY after your backup is saved.

Next open chrome and navigate to chrome://policy/

 

  • In the policies window if one exists click on Show Policy
  • You should see somewhere "file:///" followed by a path
  • Copy the directory after file://// and before the ID
  • Example: "file:////C:/Example/Virus/sfdgrsgsrrhstgsagrshdhst"
  • Copy "C:/Example/Virus/"

Next navigate to that folder and delete it.

 

WARNING: If that folder contains system32 / windows consult an expert.

 

Next for Windows 7, Vista, 8 Navigate to "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions"

 

Windows XP: "%USERPROFILE%\Local Settings\Application Data\Google\Chrome\User Data\Default\Extension"

 

Delete the folder with the same ID as the virus.

 

Download and run MBAM once more just to make sure you are safe..

 

Please let us know how things turn out.


Edited by MalwareAbort, 11 February 2014 - 07:39 PM.

"Imagine a world without malware"


#10 ScrewScorpionSaver

ScrewScorpionSaver
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 11 February 2014 - 07:36 PM

Can anyone confirm? MalwareAbort is a new member. 



#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:03 AM

Posted 11 February 2014 - 07:56 PM

It's valid.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users