Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus- Google Chrome - I don't have google chrome


  • This topic is locked This topic is locked
27 replies to this topic

#1 MaximusTX

MaximusTX

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 October 2014 - 04:31 PM

Hello!  I am plagued by what I assume is a virus calling itself "google chrome."  I do not nor have I ever downloaded google chrome as an operating system; I run IE and it's fine.  However, in the following place:  Appdata-LocalLow.  There is a google chrome icon called "Vchoojpvy.exe" that cannot be deleted.  How do I get rid of it?!  Thank you so, so much.


Edited by MaximusTX, 29 October 2014 - 04:51 PM.


BC AdBot (Login to Remove)

 


m

#2 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 October 2014 - 05:17 PM

I downloaded farbar and have attached logs.

Attached Files



#3 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:37 AM

Posted 29 October 2014 - 07:08 PM

Hi. I'm checking your log now and will reply with instructions soon.

#4 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 29 October 2014 - 07:44 PM

Thank you very much.



#5 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:37 AM

Posted 30 October 2014 - 09:36 AM

Is this a personal computer or a company owned computer?

#6 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 30 October 2014 - 11:43 AM

It's my company. I use this computer for both personal and business.



#7 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:37 AM

Posted 30 October 2014 - 01:36 PM

Please follow these steps:

1.- Open notepad. Please copy the contents of the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
Save it to your Desktop as fixlist.txt
 
CloseProcesses:
HKU\S-1-5-21-4185530137-3615135834-1674662940-1000\...\Run: [Kbwzwza] => regsvr32.exe /s "C:\Users\Imagio Consulting\AppData\Local\DataSafeOnline\Kbwzwza.dll" <===== ATTENTION
C:\Users\Imagio Consulting\AppData\Local\DataSafeOnline\Kbwzwza.dll
ProxyServer: localhost:8080
BHO: McAfee SiteAdvisor BHO -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll No File
Toolbar: HKLM - McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~2\mcafee\SITEAD~1\x64\mcieplg.dll No File
Toolbar: HKLM-x32 - No Name - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -  No File
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
S4 McAfee SiteAdvisor Service; "C:\Program Files (x86)\McAfee\SiteAdvisor\McSACore.exe" [X]
S1 AntiLog32; \??\C:\Windows\system32\drivers\AntiLog64.sys [X]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 cleanhlp; \??\C:\Program Files (x86)\Emsisoft Anti-Malware\cleanhlp64.sys [X]
S3 gfiark; system32\drivers\gfiark.sys [X]
S3 PcdrNdisuio; syswow64\drivers\pcdrndisuio.sys [X]
S3 PCDSRVC{1E208CE0-FB7451FF-06020200}_0; \??\c:\program files\dell support center\pcdsrvc_x64.pkms [X]
S2 sbapifs; system32\DRIVERS\sbapifs.sys [X]
S1 SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [X]
CustomCLSID: HKU\S-1-5-21-4185530137-3615135834-1674662940-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\Imagio Consulting\AppData\Roaming\Dropbox\bin\Dropbox.exe /autoplay No File
2014-10-29 15:27 - 2014-10-29 15:27 - 00718152 _____ () C:\Users\Imagio Consulting\AppData\LocalLow\ID Vault\Jpsaajhm\xdmccgv\36.0.1985.143\libglesv2.dll
2014-10-29 15:27 - 2014-10-29 15:27 - 00126280 _____ () C:\Users\Imagio Consulting\AppData\LocalLow\ID Vault\Jpsaajhm\xdmccgv\36.0.1985.143\libegl.dll
2014-10-29 15:27 - 2014-10-29 15:27 - 08537928 _____ () C:\Users\Imagio Consulting\AppData\LocalLow\ID Vault\Jpsaajhm\xdmccgv\36.0.1985.143\pdf.dll
2014-10-29 15:27 - 2014-10-29 15:27 - 00353096 _____ () C:\Users\Imagio Consulting\AppData\LocalLow\ID Vault\Jpsaajhm\xdmccgv\36.0.1985.143\ppGoogleNaClPluginChrome.dll
2014-10-29 15:27 - 2014-10-29 15:27 - 01732936 _____ () C:\Users\Imagio Consulting\AppData\LocalLow\ID Vault\Jpsaajhm\xdmccgv\36.0.1985.143\ffmpegsumo.dll
EmptyTemp:
NOTICE: This script was written specifically for this user, for use on that particular machine.
Running this on another machine may cause damage to your operating system


Run FRST and press the Fix button just once and wait.
The tool will make a log on your desktop (Fixlog.txt) please post it to your reply.

2.- Run FRST again, check Addition.txt, press Scan and attach both reports.

3.- Download AdwCleaner by Xplode onto your Desktop.
  • Double click on Adwcleaner.exe to run the tool.
  • Click on Scan
  • Once the scan is done, click on the Clean button.
  • You will get a prompt asking to close all programs. Click OK.
  • Click OK again to reboot your computer.
  • A text file will open after the restart. Please post the content of that logfile in your reply.
  • You can also find the logfile at C:\AdwCleaner[Sn].txt ('n' represents the number of the most recent report).
4.- Please download RogueKiller and Save to the desktop.
  • Close all windows and browsers
  • Double click on RogueKillerX64.exe to run the tool.
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please post it in your next reply.


#8 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 30 October 2014 - 02:41 PM

Thank you for assisting me with this trouble.  Here are the requested logs.

Attached Files



#9 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:37 AM

Posted 30 October 2014 - 09:25 PM

MaximusTX, we have run into a unique issue with one of the tests and will post back as soon as we have more information.

#10 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 31 October 2014 - 12:09 AM

Ok.  I await your direction.



#11 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 31 October 2014 - 12:13 AM

FYI.  Throughout this entire process, I disconnected computer from internet when not performing scans/tests/fixtures etc.  I also disabled Norton's virus protection during downloads and performances.



#12 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 31 October 2014 - 10:24 PM

Any progress???



#13 Rootk

Rootk

  • Malware Response Team
  • 234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easter Island, Chile.
  • Local time:02:37 AM

Posted 01 November 2014 - 07:48 PM

Please follow these steps:

1.- Re-run RogueKiller and press the Scan button.
Once the scan is done, click the Registry tab.
Place a checkmark on the following items:
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670} -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EEE6C35C-6118-11DC-9C72-001320C79847} -> Found
[PUP] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Run | SweetIM : C:\Program Files\SweetIM\Messenger\SweetIM.exe  -> Found
[PUP] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Run | SweetIM : C:\Program Files\SweetIM\Messenger\SweetIM.exe  -> Found
[PUP] (X64) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe  -> Found
[PUP] (X86) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Windows\CurrentVersion\Run | Search Protection : C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet001\Services\catchme -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet002\Services\catchme -> Found
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Internet Explorer\Main | Start Page : http://www.yahoo.com/  -> Found
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Internet Explorer\Main | Start Page : http://www.yahoo.com/  -> Found
[PUM.HomePage] (X64) HKEY_USERS\RK_Administrator_ON_D_13DB\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.att.com  -> Found
[PUM.HomePage] (X86) HKEY_USERS\RK_Administrator_ON_D_13DB\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.att.com  -> Found
[PUM.HomePage] (X64) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yahoo.com/  -> Found
[PUM.HomePage] (X86) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Internet Explorer\Main | Start Page : http://www.yahoo.com/  -> Found
[PUM.SearchPage] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Internet Explorer\Main | Search Page : http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com  -> Found
[PUM.SearchPage] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Internet Explorer\Main | Search Page : http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com  -> Found
[PUM.SearchPage] (X64) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Internet Explorer\Main | Search Page : http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com  -> Found
[PUM.SearchPage] (X86) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Internet Explorer\Main | Search Page : http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet001\Services\Tcpip\Parameters\Interfaces\{55165F37-EDD5-4B1F-B1FE-C6B0DC2D7F8C} | DhcpNameServer : 68.87.85.98 68.87.69.146 68.87.78.130 [UNITED STATES (US)]  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet002\Services\Tcpip\Parameters\Interfaces\{55165F37-EDD5-4B1F-B1FE-C6B0DC2D7F8C} | DhcpNameServer : 68.87.85.98 68.87.69.146 68.87.78.130 [UNITED STATES (US)]  -> Found
[PUM.StartMenu] (X64) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\RK_Jimi_ON_D_77E8\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2  -> Found
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\RK_Software_ON_D_E999\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1  -> Found
Click on the Delete button.
A report has been created on the Desktop. Please post it in your next reply.

2.- Run RogueKiller again.
  • Press the scan button.
  • Once the scan is done, click on Report.
  • A log file will open, please copy/paste the context of that file into your next reply.
3.- Open Malwarebytes Anti-Malware

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Please update the database by clicking on the Update Now button as shown below.
    Capture1_zps47821576.jpg
  • Following the update, Click Settings > Detection and Protection and make sure Scan for Rootkits it checked.
    MBAM%20rootkit%20setting.jpg
  • Click on Dashboard, then click on the large green Scan Now button to begin the Threat Scan.
    If Malware or Potentially Unwanted Programs are found you will receive a Prompt so that you can decide what you want to do. I suggest "Quarantine". Click the button: Apply All Actions.
  • A window with an option to view the detailed log will appear. Click on View Detailed Log.
    MBAMThreatScan_zpsc6c6daeb.jpg
  • After viewing the results, please click on the Copy to Clipboard button > OK.
    MBAMScanLog_zps21b494ad.jpg
  • Return to our forum. Paste your log into your next reply.
  • Note: If you lose the Clipboard copy and need to retrieve the log again it can be found by opening Malwarebytes and clicking on History> Application Logs with the date of the scan. Simply double-click on that in order to see the options for Copying to Clipboard or to Export to a .txt file (Notepad). etc.. The .txt file can be saved and posted when you are ready.

    4.- Go to Eset web page and run an online scanner from ESET. (You will need to use Internet explorer for this scan).

    Turn off the real time scanner of any existing antivirus program while performing the online scan
    click on Run ESET Online Scanner button.
    Tick the box next to YES, I accept the Terms of Use.
    Click Start.
    When asked, allow the ActiveX control to install.
    Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
    Click on Advanced Settings, ensure the options below are ticked.
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
    Click Start.
    Wait for the scan to finish.
    Use Notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
    and copy and paste the results here in this topic.


#14 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 01 November 2014 - 09:06 PM

A quick question before I continue with your solution.  I noticed that Rogue Killer identified the following:

 

[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet001\Services\catchme -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\RK_System_ON_D_AF97\ControlSet002\Services\catchme -> Found

 

Is this something that needs to be addressed? Thanks.



#15 MaximusTX

MaximusTX
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:11:37 PM

Posted 01 November 2014 - 09:22 PM

In my haste, I didn't notice that those items are a part of your deletion package. My apologies.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users