Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome disguised Browser.exe virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 lumer

lumer

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 20 October 2014 - 04:31 PM

It seems the fix for the browser.exe is specific for each computer.  I've done all I can on my end and need some help from the experts.

 

Here are my log files...

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 PM

Posted 20 October 2014 - 04:43 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

Next please download the following file => and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.

 

 

Also can you please temporary disable Avira real-time protection. Check here how:

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Then go to C:\FRST\Quarantine and right click on the folder, select send to compressed(zip) folder that will make a zipped copy of this folder.

Then please upload it to http://www.bleepingcomputer.com/submit-malware.php?channel=122 so we can examine the files and submit to antivirus companies if needed.
After that please delete the zip file you just created and re-enable Avira.

 

Also let me know if the problem still persists.

 

 

Regards,

Georgi


cXfZ4wS.png


#3 lumer

lumer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 21 October 2014 - 09:42 PM

Thanks!  Here is my fixlog...

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 21-10-2014
Ran by chandra at 2014-10-21 22:30:25 Run:1
Running from C:\Users\chandra\Downloads
Loaded Profile: chandra (Available profiles: Administrator & chandra & Administrator)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
start
CloseProcesses:
C:\Users\chandra\AppData\LocalLow\VinylModel
HKU\S-1-5-21-2596939983-237699900-2897333658-1109\...\Run: [UIInfinity] => C:\Windows\system32\rundll32.exe "C:\Users\chandra\AppData\Local\UIInfinity\UIInfinity.dll",DllRegisterServer <===== ATTENTION
C:\Users\chandra\AppData\Local\UIInfinity
2014-09-24 16:31 - 2014-09-26 15:41 - 00000000 ____D () C:\Program Files (x86)\globalUpdate
2014-09-24 16:31 - 2014-09-24 16:31 - 00000000 ____D () C:\Users\chandra\AppData\Local\globalUpdate
Task: {C157FDBC-CC9A-42FD-B1E7-897A2EAF3DAD} - System32\Tasks\BNQZSVI => C:\Users\chandra\AppData\Roaming\BNQZSVI.exe <==== ATTENTION
Task: {D85A61E4-2576-43EE-913B-12CF19CD0DC6} - System32\Tasks\WVK => C:\Users\chandra\AppData\Roaming\WVK.exe <==== ATTENTION
Task: C:\Windows\Tasks\BNQZSVI.job => C:\Users\chandra\AppData\Roaming\BNQZSVI.exe <==== ATTENTION
Task: C:\Windows\Tasks\WVK.job => C:\Users\chandra\AppData\Roaming\WVK.exe <==== ATTENTION
emptytemp:
end
*****************

Processes closed successfully.

"C:\Users\chandra\AppData\LocalLow\VinylModel" directory move:

C:\Users\chandra\AppData\LocalLow\VinylModel\40fc399c => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\ec1ac8a1 => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\SoftwareWhisky.tar => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\NarratorRadio\manifest.json => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\NarratorRadio\NoteworthyModulator.js => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserVisual\manifest.json => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserVisual\NoteworthyModulator.js => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\browser.exe => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\VisualElementsManifest.xml => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\Dictionaries\en-US-3-0.bdic => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\36.0.1985.143.manifest => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\chrome.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\chrome_100_percent.pak => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\chrome_200_percent.pak => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\chrome_child.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\chrome_elf.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\d3dcompiler_43.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\d3dcompiler_46.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\delegate_execute.exe => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\ffmpegsumo.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\icudtl.dat => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\libegl.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\libexif.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\libglesv2.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\libpeerconnection.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\metro_driver.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\mksnapshot.ia32.exe.assert.manifest => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\nacl64.exe => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\nacl_irt_x86_32.nexe => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\nacl_irt_x86_64.nexe => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\pdf.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\ppgooglenaclpluginchrome.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\resources.pak => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\secondarytile.png => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\widevinecdmadapter.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\xinput1_3.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\VisualElements\logo.png => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\VisualElements\smalllogo.png => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\VisualElements\splash-620x300.png => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\PepperFlash\manifest.json => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\PepperFlash\pepflashplayer.dll => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\Locales\en-GB.pak => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\Locales\en-US.pak => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\Extensions\external_extensions.json => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\docs.crx => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\drive.crx => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\external_extensions.json => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\gmail.crx => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\search.crx => Moved successfully.
C:\Users\chandra\AppData\LocalLow\VinylModel\BrowserNoteworthy\36.0.1985.143\default_apps\youtube.crx => Moved successfully.
Could not move "C:\Users\chandra\AppData\LocalLow\VinylModel" directory. => Scheduled to move on reboot.

HKU\S-1-5-21-2596939983-237699900-2897333658-1109\Software\Microsoft\Windows\CurrentVersion\Run\\UIInfinity => value deleted successfully.
C:\Users\chandra\AppData\Local\UIInfinity => Moved successfully.
C:\Program Files (x86)\globalUpdate => Moved successfully.
C:\Users\chandra\AppData\Local\globalUpdate => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{C157FDBC-CC9A-42FD-B1E7-897A2EAF3DAD}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C157FDBC-CC9A-42FD-B1E7-897A2EAF3DAD}" => Key deleted successfully.
C:\Windows\System32\Tasks\BNQZSVI => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\BNQZSVI" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{D85A61E4-2576-43EE-913B-12CF19CD0DC6}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D85A61E4-2576-43EE-913B-12CF19CD0DC6}" => Key deleted successfully.
C:\Windows\System32\Tasks\WVK => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\WVK" => Key deleted successfully.
C:\Windows\Tasks\BNQZSVI.job => Moved successfully.
C:\Windows\Tasks\WVK.job => Moved successfully.
EmptyTemp: => Removed 426.2 MB temporary data.

=> Result of Scheduled Files to move (Boot Mode: Normal) (Date&Time: 2014-10-21 22:32:51)<=

C:\Users\chandra\AppData\LocalLow\VinylModel => Is moved successfully.

==== End of Fixlog ====



#4 lumer

lumer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 21 October 2014 - 09:53 PM

So far the virus has not come back yet.

 

I could not upload the quarantined zip file because it said that it was too big.



#5 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 PM

Posted 22 October 2014 - 06:20 AM

Hello,

 

Can you please zip the folder and upload it here => http://www.filedropper.com/

Next please send me the download link via Personal Message.

 

The infection seems to be removed but if you don't mind, I want to make sure there is nothing lurking on the system so just in case I want you to go through these steps:

 

The most of them should take no more than 5 minutes each (but the time they take to complete can vary depending on the size of your hard and the speed of your computer).

 

 

 

STEP 1

 

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please post the log in your next reply.

 

 

STEP 2

 

 

  • Please download RogueKillerX64.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Wait for the prescan to complete and then press the Scan button.
  • When done press the Report button.
  • Please copy and past the results in your next reply.

 

 

STEP 3
 

 

Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
     
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
     
  • Click the Start Scan button.
     
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
     
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 4

 

 

Please download Malwarebytes Anti-Malware 2.0.3.1025 Final to your desktop.
 

  • Double-click mbam-setup-2.0.3.1025.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may see this message box.
    • 'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Copy to Clipboard'
  • Paste the contents of the clipboard into your reply.

 

 

STEP 5

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
 
8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.
 
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro

Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.

 

 

 

STEP 6

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

and then if there aren't any issues left I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 PM

Posted 25 October 2014 - 04:07 AM

Hi,

 

Do you still need assistance?

 

 

Regards,

Georgi


cXfZ4wS.png


#7 lumer

lumer
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 27 October 2014 - 10:14 AM

I think we are good for now.

 

Thanks for the help!!!!!!



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 PM

Posted 27 October 2014 - 10:31 AM

Hi,

 

So you don't want to proceed with the steps above?

Can you then please zip the folder C:\FRST\Quarantine and upload it here => http://www.filedropper.com/

Next please send me the download link via Personal Message.

After that I'll give you my final recommendations. :)

 

 

Regards,

Georgi


cXfZ4wS.png


#9 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:12:22 PM

Posted 01 November 2014 - 02:52 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

cXfZ4wS.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users