Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Chrome Browser.exe Virus


  • This topic is locked This topic is locked
11 replies to this topic

#1 Duckie48

Duckie48

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 27 August 2014 - 12:37 PM

Unusually high cpu usage noticed and a flurry of blocked internet access warnings from my anti-virus (Bitdefender 2015). Discovered that "Chrome Browser.exe" had installed itself and was making repeated attempts to open infected internet sites.  Full system and targeted scans by Bitdefender and Malwarebytes failed to recognize this virus(?). 

 

My attempts to find the location of the file(s) have found the exe and associated files installed in several sub directories. Creation time stamps say these files were installed @ 11:36a.m. EDT (USA) on 26 Aug. 2014. 

 

For Folder Directory locations see also the attached screen shot.  Google Chrome Folders are located in all of the subdirectories below:

Win7(C:)/Users/Lamar/AppData/LocalLow/Supporter Visual

 

.................................................../LocalLow/SystilModel

 

.................................................../LocalLow/ValidatorNoteworthy

 

The Chrome.exe file is in.........../LocalLow/SystilModel/ValidatorPale

 

My OS is Windows 7 Home Premium (updated) and my browser is IE11.  I have never downloaded or used Google Chrome.

 

Thanks very much for your help,

Steve

Attached Files



BC AdBot (Login to Remove)

 


#2 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 27 August 2014 - 02:07 PM

Hi there,

please run a FRST scan:


Please download Farbar Recovery Scan Tool and save it to your Desktop.
  • Start FRST with administator privileges.
  • Make sure the option Addition.txt is checked and press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
  • Please copy and paste these logs in your next reply.


#3 Duckie48

Duckie48
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 27 August 2014 - 03:25 PM

As requested, FRST scan was run and the FRST.txt and Attached.txt files are attached.

 

Thanks,

Steve

Attached Files



#4 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 27 August 2014 - 03:36 PM

Hi Steve,

judging from your logs you've already deleted this infection yourself and it isn't active anymore, correct?

#5 Duckie48

Duckie48
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 27 August 2014 - 04:32 PM

Hi aharonov, I noticed when I made my last post that it seemed to have gone inactive. However, I've taken no actions and the files are still there, or they were still there at my last post.

Steve

#6 Duckie48

Duckie48
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 27 August 2014 - 04:37 PM

Re last post, I did notify Bitdefender that their product did not recognize the virus but I've heard nothing from them and I've not booted the PC except to respond to your posts/scan requests.

Steve

#7 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 27 August 2014 - 04:44 PM

Hi Steve,

whatever has deleted them - I don't see the active component in the logs.
So just go ahead and manually delete the three directories you've mentioned:

Win7(C:)/Users/Lamar/AppData/LocalLow/SupporterVisual
.................................................../LocalLow/SystilModel
.................................................../LocalLow/ValidatorNoteworthy

And tell me if they get recreated after the deletion and a reboot.


Also run a scan with ESET:


Please download the ESET Online Scanner and save it to your Desktop.
  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start esetsmartinstaller_enu.exe with administartor privileges.
  • Select the option Yes, I accept the Terms of Use and click on Start.
  • Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start. The virus signature database will begin to download. This may take some time.
  • When completed the Online Scan will begin automatically.
    Note: This scan might take a long time! Please be patient.
  • When completed select Uninstall application on close if you so wish, but make sure you copy the logfile first!
  • Now click on Finish
  • A log file is created at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
    Copy and paste the content of this log file in your next reply.
Note: Do not forget to re-enable your antivirus application after running the above scan!

#8 Duckie48

Duckie48
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 28 August 2014 - 07:12 AM

Hi aharonov,

 

I deleted the folders and they did not regenerate after a reboot.  My AV is back on line.  The ESET log file is attached.

 

 

Attached Files

  • Attached File  log.txt   9.99KB   1 downloads


#9 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 28 August 2014 - 11:42 AM

Very good. ESET hasn't found any active malware - just a few remnants and a few setups that are bundled with PUPs.

That's it! Your logs look clean to me at the moment.
We're gonna clean up everything now, close security holes on your computer and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.


My help is free for everybody.
If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif.
Thank you!



Clean Up

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:
  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download DelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.


Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefore it's very important to always keep your software up-to-date.
The following software is outdated. Make sure you remove all old versions and install the current one instead if you need the program:

Adobe Flash Player 12 ActiveX




Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

#10 Duckie48

Duckie48
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Georgia, USA
  • Local time:02:02 AM

Posted 28 August 2014 - 01:27 PM

Thank you very much, aharonov. Will follow the cleanup directions. Lunch is on me!

Best regards,
Steve

#11 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 28 August 2014 - 02:04 PM

You're welcome. And thank you very much for your donation, Steve.
Take care.

#12 aharonov

aharonov

  • Malware Response Team
  • 2,441 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:02 AM

Posted 28 August 2014 - 02:04 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users