Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google Chrome exe


  • This topic is locked This topic is locked
34 replies to this topic

#1 xunchen

xunchen

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 21 October 2014 - 10:35 AM

Hi, I am new to this site. I am drawn to this site because I am having the same "fake Google Chrome Malware" problem that several members have posted on this site recently. After googling for an hour, it seems this is the only place that offers viable solution!

 

I started to notice this a couple of days ago when the laptop was making loud noises even though I was not doing anything. From the task manger, there are over 15 fake chrome processes clogging up. I have Malwarebytes and Symantec installed, but they both failed to screen out the malware. I ran the Farbar Recovery Scan Tool as some the previous threads suggested and included the two txt files in this message.  Please help.

Thanks!

xun

Attached Files



BC AdBot (Login to Remove)

 


#2 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 11:29 AM

Hi & :welcome: to Bleeping Computer Forums!
My name is Jürgen and I will be assisting you with your Malware related problems.

Before we move on, please read the following points carefully: :exclame:

  • My native language isn't English. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.
  • Please read my instructions completely. If there is anything that you do not understand kindly ask before proceeding.
  • Perform everything in the correct order. Sometimes one step requires the previous one.
  • If you have any problems while you are follow my instructions, Stop there and tell me the exact nature of your problem.
  • Do not run any other scans without instruction or Add/ Remove Software unless I tell you to do so. This would change the output of our tools and could be confusing for me.
  • Post all Logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts.
  • If I don't hear from you within 5 days from this initial or any subsequent post, then this thread will be closed.
  • If I don't reply within 24 hours please PM me!
  • Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean.

warning.gif Malware Warning

All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums from a CLEAN COMPUTER.


 Step 1

Please uninstall some programs:

  • Windows 7w7.png: Click on the hidden2.png button, open Control Panel and click Uninstall a program.
  • Search and select the following programs one by one and click on Uninstall:

    MplayerforWindows v2011-03-27

Step 2

Please download combofix.pngCombofix (by sUBs) and save it to your Desktop.

  • Disable the realtime-protection of your antivirus and anti-malware programs because they might interfere with the scan.
  • Start Combofix.exe and follow its instructions.
  • Do not use the computer while the scan is running. This may cause the program to stall.
  • When finished, a log file will be displayed (that can also be found at C:\Combofix.txt).
    Please copy and paste the contents of this file into your next post.

Note: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." after the scan, just restart the computer.
(You can find more detailed instructions in this guide on using Combofix.)

Step 3

Please download adwcleaner.png AdwCleaner (by Xplode) and save it to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select "Run As Administrator"
  • Click on the Scan button.
  • After the scan has finished, click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • After rebooting, a log file (that is saved in C:\AdwCleaner[S#].txt) will open automatically.
    Copy and paste the contents of that logfile in your next reply.

Step 4

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

Edited by deeprybka, 22 October 2014 - 11:32 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#3 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 11:41 AM

Hi, Jurgen,

Thanks for the reply!  Do I need to run the laptop on safemode with network?

xun



#4 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 11:42 AM

Hi,

can you use the pc in normal mode?


Edited by deeprybka, 22 October 2014 - 11:44 AM.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#5 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 11:55 AM

Yes. I will go with normal mode and follow your steps.

thanks

xun



#6 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 11:55 AM

:thumbup2:


regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#7 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 12:55 PM

After I uninstalled "Mplayerforwindow v2011-03-27" as your step1, something weird happened. I lost  access to most programs, including internet explorer.  Most program icons on the desktop are showing the internet explorer thumbnail. When I clicked on them, the "view download" window popped up.

Do I proceed to step 2 and download combofix from another machine then run it from a thumb drive?

thanks.

Attached Files



#8 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 01:08 PM

Please reboot your PC - does the issue still persists now?
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#9 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 01:12 PM

yes, just rebooted it, but is showing a long list of missing link to exe files

 

ccApp.exe

IAStorIcon.exe

CLIStart.exe

GrooveMonitor.exe

SwitchBoard.exe

nusb3mon.exe

HPMSGSVC.exe

brs.exe

HPCMDelayStart.exe

PDVD10Serv.exe

HPOSD.exe

ezRecover.exe

regsvr32.exe

iFrmewrk.exe

SynTPEnh.exe

sttray64.exe

igfxpers.exe

hkcmd.exe

igfxtray.exe



#10 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 01:19 PM

frst.pngfrstscan.png

Start FRST with administator privileges.
  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.
    Please copy and paste these logs in your next reply.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#11 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 01:24 PM

Does not work anymore. The same message (like other programs)  "window can't open this file: File:FRST64.exe ...."



#12 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 01:30 PM

Ok, please try this:

Step 1
Please download rkill.png Rkill by Grinler and save it to your desktop.
  • Link 1
  • Link 2
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista, right-click on it and Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If the tool does not run from any of the links provided, please let me know.
    • When finished, RKill will produce a log. Please copy and paste the log in your next reply
  • Do not reboot the computer, you will need to run the application again.

regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#13 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 01:43 PM

I am not able to use IE on that laptop, so I downloaded Rkill  from another computer and used a thumb drive to put it on the desktop and ran it. Please see log.

Attached Files



#14 deeprybka

deeprybka

  • Malware Response Team
  • 5,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Germany
  • Local time:01:32 PM

Posted 22 October 2014 - 01:46 PM

Ok, please try FRST now...
regards,
deeprybka
:busy:
Neminem laede, immo omnes, quantum potes, iuva. Arthur Schopenhauer
 
unite_blue.png
asap.png

#15 xunchen

xunchen
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:07:32 AM

Posted 22 October 2014 - 01:57 PM

sorry, I did not see your last sentence. I rebooted it the machine too quick.

 

So I reran Rkill, then ran FRST.  Please see the attached. 

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users