Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chrome Infected with Open Software Updater & Google Analytics Malware


  • This topic is locked This topic is locked
11 replies to this topic

#1 techgnosis

techgnosis

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 19 March 2016 - 02:21 AM

My Google Chrome is infected with Open Software Updater & Google Analytics Malware.  The browser often redirects, opens pop ups and other sites, primarily Open Software Updater sites.  Also, when I go to news sites, it seems to control the ads on the pages, shields readable content and locks me out of the site.  I know it's Google-Analytics because that's what I can see loading on the left side of the browser, among possibly other sites.

 

I have Malware Bytes, Hitman, AdwCleaner.  AdwCleaner was somewhat effective in the beginning but not anymore.  The first two are just not effective. 

 

 

Here're the FRST 64 version runs

 

 

===========================

Windows 8.1 2013, Kaspersky 2014 15.0.1.415©. Dell XPS 8500; 3.4 GHz; 12 Gb RAM; 64-bit OS; 2TB HD

Attached Files


Edited by techgnosis, 19 March 2016 - 02:23 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 20 March 2016 - 07:48 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:
cmd: ipconfig /flushdns
cmd: IPCONFIG /release
cmd: IPCONFIG /renew

URLSearchHook: [S-1-5-21-2767479305-1133554152-2264245223-1001] ATTENTION => Default URLSearchHook is missing
BHO: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\x64\IEExt\OnlineBanking\online_banking_bho.dll => No File
BHO: No Name -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> No File
BHO-x32: Safe Money Plugin -> {9E6D0D23-3D72-4A94-AE1F-2D167624E3D9} -> C:\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\IEExt\OnlineBanking\online_banking_bho.dll => No File
FF HKLM\...\Firefox\Extensions: [support@vdownloader.com] - C:\Program Files\VDownloader\Addons\FireFox => not found
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.87\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\49.0.2623.87\pdf.dll => No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (McAfee SecurityCenter) - c:\PROGRA~2\mcafee\msc\NPMCSN~1.DLL => No File
CHR HKLM\...\Chrome\Extension: [eoccbpoodnckjdnackiffhjfkogfhnhh] - C:\Program Files\VDownloader\Addons\Chrome.crx <not found>
Task: {0D8A891D-890C-4808-84D8-2F436AB14653} - \Microsoft\Windows\Application Experience\AitAgent -> No File <==== ATTENTION
Task: {1274336E-AB06-46B6-A48C-0671C5557CC6} - \Microsoft\Windows\TaskScheduler\Maintenance Configurator -> No File <==== ATTENTION
Task: {1687544D-7247-4F5A-965A-A6E920E55278} - \Microsoft\Windows\TaskScheduler\Manual Maintenance -> No File <==== ATTENTION
Task: {40525C58-79C2-47A1-9AA2-F1D7FC4F0691} - \Microsoft\Windows\WindowsBackup\ConfigNotification -> No File <==== ATTENTION
Task: {6F02587F-8A2B-4552-97F6-DEEF229E335B} - \Microsoft\Windows\TaskScheduler\Idle Maintenance -> No File <==== ATTENTION
Task: {B7992938-01F1-4F40-A0EC-0D23D2F0F152} - \Microsoft\Windows\TaskScheduler\Regular Maintenance -> No File <==== ATTENTION
Task: {CFD7C21A-808B-487B-A6EC-8A10E44E8360} - \Microsoft\Windows\SettingSync\BackupTask -> No File <==== ATTENTION

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.

====

Any remaining issues?

#3 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 21 March 2016 - 04:15 PM

Hi Nasdaq and thanks for looking at my attachments.  For some reason FRST seems to stall and doesn't finish its run.  Do you think the malware/browse hijacker is causing this? In Chrome, it won't even let me access Bleeping Computer and I had to open up Foxfire.  Thanks.



#4 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 22 March 2016 - 12:44 AM

Ok, ran ok this time.  The Fixlog.txt file is attached.  Thank you so much.

 

Hi Nasdaq and thanks for looking at my attachments.  For some reason FRST seems to stall and doesn't finish its run.  Do you think the malware/browse hijacker is causing this? In Chrome, it won't even let me access Bleeping Computer and I had to open up Foxfire.  Thanks.

 

Attached Files



#5 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 22 March 2016 - 07:06 AM

Any remaining issues?

#6 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 22 March 2016 - 08:40 AM

Haven't tested the system yet to see if the Open Software Updater and Google Analytics are gone. But did the Fixlog.txt look okay?  I've been putting up online banking and paying bills through my work computer because of this.  Look clean?  Thanks.

 

Any remaining issues?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 22 March 2016 - 12:53 PM

It looks clean from what I can identify.

There could be some remnant items.

Run an online scan with Eset (easiest with Internet Explorer): http://www.eset.com/onlinescan/
To shorten the scanning time disable your antivirus program while scanning.

Select Enable detection of potentially unwanted applications.
Click Advanced Settings.

Select:
Scan Archives
Scan for potentially unsafe applications
Enable Anti-Stealth Technology


Click Start.

When the scan is finished, click on List of found threats and then Export to text file. Copy the content of the text file and paste its content in your reply.

This may take awhile, run it when you know you will not need the computer for an hour or two.
<<<>>>

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#8 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 23 March 2016 - 06:12 PM

Hi, here's the Eset run.  Should I delete these files?
 
===========================
C:\AdwCleaner\Quarantine\C\Users\Sklel\AppData\Local\Conduit\APISupport\APISupport.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Sklel\AppData\Local\Conduit\APISupport\APISupport.old.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Sklel\AppData\Local\Conduit\APISupport\APISupport_2.0.5.9\ApiSupport.dll.vir a variant of Win32/Conduit.SearchProtect.N potentially unwanted application
C:\Users\Sklel\Downloads\installer.zip a variant of Win32/InstallCore.ACZ potentially unwanted application

Edited by techgnosis, 23 March 2016 - 06:13 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 24 March 2016 - 09:35 AM

All you have to do is to delete the files in the folder in bold NOT the folder.

C:\AdwCleaner\Quarantine

And delete this file in the Download folder.
C:\Users\Sklel\Downloads\installer.zip

#10 techgnosis

techgnosis
  • Topic Starter

  • Members
  • 66 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York City Area
  • Local time:11:42 AM

Posted 29 March 2016 - 12:33 AM

Hi, thanks so much for your help. I think I'm alright here.  I have another computer that's running into some trouble but I'll start another thread for that.  I think we can close this one out.  Thanks you again so much for your help.  The computer has been freed.



#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 29 March 2016 - 07:30 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,499 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:42 AM

Posted 04 April 2016 - 07:45 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users