Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I may be infected with the Google Chrome virus


  • Please log in to reply
3 replies to this topic

#1 dclayw

dclayw

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 12 March 2015 - 11:10 PM

I am running Windows XP Pro SP3. I started having problems a few days ago when Chrome started using 50% CPU continuously, seemingly after visiting certain web pages. Nothing perculiar about these web pages, just general browsing including pdfs etc. It happened several times and Chrome would become unusable. I couldn't shut it down so had to kill it via task manager and then restart, would happen again some time later.

 

After a day or so I started getting the "Google Chrome has encountered a problem and needs to close" message everytime I start Chrome. Even though this message pops up at Chrome startup, if I don't click Close, Chrome continues to run and seems perfectly usable, although I'm not doing too much with it right now as I want to get to the bottom of this problem.

 

My problems appear to have started when a new version of Chrome came in (via gupdate I believe). I was running Chrome 40.0.2214.115 without problems. The new version is now 41.0.2272.89. This new version seems to co-incide with the Chrome startup error message but I think i was having the 50% CPU issue before this new version came in (not sure). When Chrome is updated it appears that the previous version is left intact (but renamed). I tried running this previous version but get the same Chrome startup error message.

 

I then did the usual things like clear browsing history/cache/cookies etc, all to no avail. I then uninstalled and reinstalled Chrome, still get the same startup error message after re-installation. Then started googling and came across the Google Update/Google Redirect/Google Chrome virus and started going down that path. I downloaded Malwarebytes and renamed it but it would not run. This gave me the first indication that I may infact be infected. Then started following the manual removal process outlined here: http://www.brighthub.com/internet/security-privacy/articles/73919.aspx

 

I checked LAN settings, proxy and DNS settings look OK and Hosts file looks OK. RKill will not run, even if i rename it. Also tried running TDSSKiller from Kaspersky (also renaming it) but it would not run.

 

So I am unsure if I am infected. But the fact that I am unable to run daignostic/removal tools, indicates to me that I am probably infected. Would appreciate any assistance as to where I can go from here.



BC AdBot (Login to Remove)

 


m

#2 buddy215

buddy215

  • BC Advisor
  • 12,615 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:32 AM

Posted 13 March 2015 - 12:40 PM

Welcome to BC !

 

Yes, what you report does sound like malware is the problem. If you have access to another computer then do this: (instructions copied from olgun52...thanks!)

 

Go to a clean PC.

  • Download the .iso image file.
  •  Create a CD (or flash drive if you prefer).
  • At the infected PC: put the disk in the drive and reboot.

Follow the directions here, but you will find some differences.
 
Download and create a bootable Kaspersky Rescue Disk CD
 
1. Download the Kaspersky Rescue Disk ISOimage from below.
 
 Karspesky Rescue Disk Download Link (This link will open a new page from where you can download Kaspersky Rescue Disk ISO)
 
2. Download ImgBurn, a software that will help us create this bootable disk. (If you already have necessary software, use that)
 
 IMGBURN Download Link (This link will open a new page from where you can download ImgBurn)
3. You can now insert your blank DVD/CD in your burner.
 
4. Install ImgBurn by following the prompts and then start this program.
 
5. Click on the Write image file to disc button.
 
6. Under 'Source' click on the Browse for file button, then browse to the location where you previously saved the Kaspersky Rescue Disk ISO file.(kav_rescue_10.iso)
 
7. Click on the big Write button.
 
8. The disc creation process will now start and it will take around 5-10 minutes to complete.
 
:step2:
Configure the computer to boot from CD-ROM
 
On some machines,if you restart the computer and repeatedly tap the F11 key it should bring up the Boot Menu, from there you can select to boot from the CD.
IF this doesn't happen then you'll need to configure your computer to boot for a CD like you'll see below.
 
 Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:
 
1. Use the Delete or F2 keys, to load the BIOS menu.Information how to enter the BIOS menu is displayed on the screen at the start of the OS boot:
 
2. In your PC BIOS settings select the Boot menu and set CD/DVD-ROM as a primary boot device.
 
3. Insert your Kaspersky Rescue Disk and restart your computer.
 
:step3:
Boot your computer from Kaspersky Rescue Disk
 
1. Your computer will now boot from the Kaspersky Rescue Disk,and you'll be asked to press any key to proceed with this process
 
Kasp1-1.png
 
2. In the start up wizard window that will open, select your language using the cursor moving keys. Press the ENTER key on the keyboard.
 
Kasp2-1.png
 
3. On the next screen, select Kaspersky Rescue Disk. Graphic Mode then press ENTER.
 
Kasp3-1.png
 
4. The End User License Agreement of Kaspersky Rescue Disk will be displayed on the screen. Read carefully the agreement then press the C button on your keyboard.
 
5. Once the actions described above have been performed, the Kasprsky operating system will start.
 
:step4:
Launch Kaspersky WindowsUnlocker to remove the malicious registry changes
 
This ransomware trojan has modified your Windows system registry so that when you're trying to boot your computer it will instead launch his lock screen.To remove this malicious registry changes we need to use the Kasersky WindowsUnlocker from Kaspersky Rescue Disk.
 
1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky WindowsUnlocker.
 
Kasp5-1.png
 
IF you can't find the WindowsUnlocker button, you can select Terminal and in the command prompt type windowsunlocker and then press Enter on the keyboard.
 
2. A white colored console window will appear and will automatically start loading the registry files for scanning and disinfection. The whole process will take only a couple of seconds and after this process you should be able to boot your computer in normal mode.
 
Kasp6-1.png
 
:step5:
Scan your system with Kaspersky Rescue Disk
 
1. Click on the Start button located in the left bottom corner of the screen and select the Kaspersky Rescue Disk then click on My Update Center and press Start update.
 
Kasp7-1.png
 
2. When the update process has completed, the light at the top of the window will turn green, and the databases release date will be updated.
 
Kasp8-1.png
 
3. Click on the Objects Scan tab, then click Start Objects Scanto begin the scan.
 
Kasp9-1.png
 
4. If any malicious items are found, the default settings are to prompt you for action with a red popup window on the bottom right. Delete is the recommended action in most cases but we strongly recommend that you try first to disinfect , and if it doesn't work chose to quarantine the infected files just to be on the safe side.
 
Kasp10-1.png
 
5. When all detected items have been processed and removed, the light in the window will turn green and the scan will show as completed.
 
Kasp11-1.png
 
6. When done you can close the Kaspersky Rescue Disk window and use the Start Menu to Restart the computer.
 
7. When booted back into Windows Navigate > Start > Computer > C:\Kaspersky Rescue Disck 10.0 Open the folder, inside is log from KRD run named "ScanObject" copy/paste that file to your reply.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#3 dclayw

dclayw
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 16 March 2015 - 08:59 PM

Thanks for the comprehensive instructions. My PC became very quickly unusable, started blue screening at startup and could not even boot into safe mode. I do take partition images periodically (using Seagate DiskWizard). I decided to restore my latest partition image for my boot drive. It was a few months old but would only require minimal re-configuration after I restored it. To make matters a bit more complicated my DVD drive decided it didn't want to work anymore. I think that was more a co-incidence then anything related to the trojan.

 

So, rather then using my Seagate rescue CD I had to make new rescue s/w on USB and boot from that to restore my latest partition backup. All good after the restore, although I had to re-install 1 or 2 applications and do some minor reconfiguration. I keep all my data on separate drives (all backed up ofcourse) and I'm unsure if any of that would have been infected in anyway. No problems so far. I do run spybot regularly and it didn't pick up any problems after the partition restore.

 

Thanks again for your feedback. The Kaspersky boot and scan tools are useful to know about.



#4 buddy215

buddy215

  • BC Advisor
  • 12,615 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:09:32 AM

Posted 17 March 2015 - 07:12 AM

A suggestion....Get a more reliable and useful security program than Spybot S&D. That program fell out of favor years ago. Suggest a better program

such as Malwarebytes Anti-Malware Free.

 

Happy surfin'...


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users