Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake Google Chrome too


  • This topic is locked This topic is locked
5 replies to this topic

#1 Newbit

Newbit

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 22 October 2014 - 06:36 PM

Hi,

  I may have a similar problem to the person who posted http://www.bleepingcomputer.com/forums/t/545472/fake-google-chrome-browserexe-processes/

  This seems to be a very new thing, because a Google search for it brings up mostly posts from this month, the only practical information about it is on this site, and standard anti-virus software seems to miss it entirely.

   This all started when I was browsing some sites about health food or exercise.  Suddenly, I was getting messages from Windows asking my permission to run regsrvr to register some dll, and I kept saying no, but it would come back up.  In the details, it said it was coming from some executable named by a really long random-looking string beginning with an X.

  There were a bunch of copies of that process in my task manager, taking up a lot of memory and CPU, and every time I tried to force-quit them, more appeared.  They show up in the task manager as Chrome, but the name of the process was this long string beginning with an X. It was an exe file under a strange folder within appdata/locallow/Adobe.

   I ran a quick scan with Windows Security Essentials, and also ran a custom scan of locallow, but it didn't find anything it thought was suspicious.

   I wanted to get back up and able to do stuff, so I rebooted in safe mode, reset my machine back a few days with system recovery, and deleted that entire folder inside appdata/locallow/adobe that contained the odd file and other stuff that apparently had just installed itself there today while I was browsing the health-related sites.

   There was another symptom where for awhile, it would not let me see processes from all users in the task manager, and I couldn't open the control panel, search anything from the start menu, or run anything as administrator.  However, that problem mysteriously vanished and I am able to do all those things again.

   So, now I'm concerned that there may still be some malware on my computer.  There are still some folders under locallow with random string names and last-modified dates of this afternoon, when all this happened, such as AppData\LocalLow\Temp\rxwpsavngl.  Perhaps I should remove that, but I'm being a little conservative as I want to know what's actually going on.

    I know that for the other person, one of you said that his logs indicated that he had a rootkit.  I'm curious what in the log would indicate that.  I'm attaching logs I created using the Farbar recovery scan tool.  I sanitized some names though, so if you see [MyLastName] or [NameRemoved] it's because I replaced that in the logs.

   Please let me know if anything in these logs would indicate that I have a very serious problem, and what else I should be doing to make sure my machine is completely rid of this malware.

    Hopefully we can get to the bottom of this, because I'm sure this new problem is bound to affect many more people, and perhaps you're just seeing some of the first few cases of it.

   Thanks!

 

  

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:41 AM

Posted 27 October 2014 - 06:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/552959 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:41 AM

Posted 28 October 2014 - 03:15 AM


Minion%20Welcome.jpg


My name's Naathim and I'm a GeekU Minion! Now that we are mates and will be working together to clean your machine out of any junkware, feel free to call me Naat :)

Before we start please note the following:

icon_arrow.gif Analysis and research take some time, also sometimes real life gets in the way, please be patient.
icon_arrow.gif Limit your internet access to posting here, some infections just wait to steal typed-in passwords.
icon_arrow.gif Don't run any scripts or tools on your own, unsupervised usage may cause more harm than good.
icon_arrow.gif Paste the logs in your posts, attachments make my work harder and more complicated.
icon_arrow.gif Stay with me to the end, the absence of symtoms doesn't mean that your machine is fully operational.
icon_arrow.gif Note that we may live in totally different time zones, what may cause some delays between answers.

icon_idea.gif I can't foresee everything, so if anything unexpected happens, please stop and inform me!
icon_idea.gif There are no silly questions. Never be afraid to ask if in doubt!

Let's start and enjoy the fight! :)


Before we move on, I'd like to see the fresh reports, as it has been some days since your last post.


FRST.gif Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content in your next reply.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#4 Newbit

Newbit
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:41 PM

Posted 28 October 2014 - 11:36 PM

Hi Naat,

  Thanks for responding.  Here are the new logs.

   Thanks!

Attached Files



#5 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:41 AM

Posted 29 October 2014 - 04:02 AM

Hi :)

Please, do not amend anything in your logs. Sometimes various infection make strange named foders in different locations, I need to know exactly what is sitting in there. These are also the paths I will be using in scripts if neccesary.

How many tabs do you have opened in Chrome at once?

Not much very significant so far...




remove%20outdated.jpg Uninstall some programs

We need to uninstall some programs.

  • Press the WindowsKey.png + R on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search there for each entry mentioned below, right-click the entry and click Uninstall one at a time

The list of programs to uninstall:

  • Babylon Toolbar

After completing uninstalls, please manually reboot your machine!



FRST.gif Fix with Farbar Recovery Scan Tool
 

icon_exclaim.gif This fix was created for this user for use on that particular machine. icon_exclaim.gif
icon_exclaim.gif Running it on another one may cause damage and render the system unstable. icon_exclaim.gif


Press the WindowsKey.png + R on your keyboard at the same time. Type Notepad and click OK.

  • Copy the entire content of the codebox below and paste into the Notepad document:
    start
    CloseProcesses:
    HKLM-x32\...\Run: [] => [X]
    HKU\S-1-5-21-1189556144-924377109-1105661301-1001\...\MountPoints2: {ac7ed361-2640-11e3-bd89-4c80932acf73} - E:\start.exe
    ShellIconOverlayIdentifiers: [off0] -> {8E33AEC3-C5F2-43C4-B048-9E3EB19B1DD5} =>  No File
    ShellIconOverlayIdentifiers: [off1] -> {8E33AEC4-C5F2-43C4-B048-9E3EB19B1DD5} => C:\Program Files (x86)\Workspace\offsyncext64.dll No File
    SearchScopes: HKLM - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    SearchScopes: HKLM-x32 - {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
    BHO-x32: Babylon toolbar helper -> {2EECD738-5844-4a99-B4B6-146BF802613B} -> C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll (Babylon BHO)
    C:\Program Files (x86)\BabylonToolbar
    Toolbar: HKLM-x32 - Babylon Toolbar - {98889811-442D-49dd-99D7-DC866BE87DBC} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\BabylonToolbarTlbr.dll (Babylon Ltd.)
    Toolbar: HKCU - No Name - {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} -  No File
    DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} 
    Handler: cozi - {5356518D-FE9C-4E08-9C1F-1E872ECD367F} -  No File
    Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} -  No File
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npCouponPrinter.dll (Coupons, Inc.)
    FF Plugin ProgramFiles/Appdata: C:\Program Files (x86)\mozilla firefox\plugins\npMozCouponPrinter.dll (Coupons, Inc.)
    FF Extension: Babylon - C:\Users\Jonathan\AppData\Roaming\Mozilla\Firefox\Profiles\jcq5r0bn.default\Extensions\ffxtlbr@babylon.com [2012-03-19]
    CustomCLSID: HKU\S-1-5-21-1189556144-924377109-1105661301-1001_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.24.7\psuser_64.dll No File
    CustomCLSID: HKU\S-1-5-21-1189556144-924377109-1105661301-1001_Classes\CLSID\{B5B8593C-89BC-44a7-BCE3-32FE4FED7C5C}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Workspace\wbetoolsax64.dll No File
    CustomCLSID: HKU\S-1-5-21-1189556144-924377109-1105661301-1001_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll No File
    CustomCLSID: HKU\S-1-5-21-1189556144-924377109-1105661301-1001_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\Jonathan\AppData\Local\Google\Update\1.3.23.9\psuser_64.dll No File
    C:\Users\Jonathan\AppData\Roaming\Dealply
    Task: {057D054B-88CE-48CE-97B8-0938EBB589E4} - System32\Tasks\Dealply => C:\Users\Jonathan\AppData\Roaming\Dealply\UpdateProc\UpdateTask.exe [2013-08-31] () <==== ATTENTION
    Task: C:\Windows\Tasks\Dealply.job => C:\Users\Jonathan\AppData\Roaming\Dealply\UPDATE~1\UPDATE~1.EXE <==== ATTENTION
    HKU\S-1-5-21-1189556144-924377109-1105661301-1001\Software\Classes\exefile:  <===== ATTENTION!
    EmptyTemp:
    end
  • Click File, Save As and type fixlist.txt as the File Name.

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    > XP users click run after receipt of Windows Security Warning - Open File.
    > 8 users will be prompted about Windows SmartScreen protection - click More information and Run.
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please include it in your reply.



JRTbythisisu.png Fix with Junkware Removal Tool

Please download JRT by Thisisu and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on JRTbythisisu.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Follow the prompts and let this process run uninterrupted.
  • This scan can take a while, depending on your System specs.
  • Upon completion, a log (JRT.txt) will open on your desktop.

Please include the contents of that file in your reply.
Do not forget to re-enable your previously switched off protection software!
Please also manually reboot your machine after this procedure.



adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • The program will begin to update the database (if internet connection is operational). Please wait a little bit.
  • Follow the prompts and click Scan.
  • When finished, please click Clean.
  • Upon completion, click Report. A log (AdwCleaner[S*].txt) will open.

Please include the contents of that file in your reply.


Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png


#6 Naathim

Naathim

    Bleepin' Minion


  • Members
  • 435 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Poland
  • Local time:06:41 AM

Posted 07 November 2014 - 01:55 AM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

Radek Naathim Pawelczyk

Malware Removal Specialist

 

staff.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users