Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected now chrome wont work or anything else dgbhelp.dll


  • This topic is locked This topic is locked
14 replies to this topic

#1 nycpsychic

nycpsychic

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 25 November 2016 - 05:39 PM

i had moderator sent me message but i wasn't able to log on for more than 5 days so they closed it. They did recommend i download frst. and post log so now i'm back so here is the log.

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 26 November 2016 - 10:35 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2783456457-3716096558-3553906738-1006\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=adknowledgeaol-ie&s_qt=sb&tb_uuid=2013041590350934&tb_oid=15-04-2013 &tb_mrud=15-04-2013
SearchScopes: HKU\S-1-5-21-2783456457-3716096558-3553906738-1006 -> {443789B7-F39C-4b5c-9287-DA72D38F4FE6} URL = hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=843&q={searchTerms}&s_it=adknowledgeaol-ie&s_qt=sb&tb_uuid=2013041590350934&tb_oid=15-04-2013 &tb_mrud=15-04-2013
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll => No File
FF Extension: (ShopAtHome) - C:\Users\cyg_server\AppData\Roaming\Mozilla\Firefox\Profiles\07g08j9h.default\Extensions\toolbar@shopathome.com.xpi [2015-01-13] [not signed]
CHR Extension: (Flash Video Downloader) - C:\Users\cyg_server\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc [2016-11-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\cyg_server\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-01]
CHR Extension: (Chrome Media Router) - C:\Users\cyg_server\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-11-06]
CHR HKLM\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [flliilndjeohchalpbbcdekjklbdgfkk] - hxxps://clients2.google.com/service/update2/crx
S2 ehRecvr; %systemroot%\ehome\ehRecvr.exe [X]
S2 ehSched; %systemroot%\ehome\ehsched.exe [X]
S2 sshd; C:\cygwin\bin\cygrunsrv.exe [X]
U3 awrblqnb; C:\Windows\System32\Drivers\awrblqnb.sys [0 ] (Microsoft Corporation) <==== ATTENTION (zero byte File/Folder)
S3 RtsUIR; system32\DRIVERS\Rts516xIR.sys [X]
S3 USBCCID; system32\DRIVERS\RtsUCcid.sys [X]
Task: {152531EF-68B2-4E0F-8DEC-6C793D6F2989} - System32\Tasks\{41B71BF7-0C2C-47D9-A343-1D4B0537E163} => Firefox.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&amp;ver=7.21.0.100&amp;LastError=-9
Task: {A536ED1E-21FA-4E1B-B573-1E7EFBBB5FE8} - System32\Tasks\{D7694AA1-2136-42CC-B232-2C6806525D04} => Firefox.exe hxxp://ui.skype.com/ui/0/6.1.0.129.272/en/go/help.faq.installer?LastError=1603
C:\Users\cyg_server\AppData\Roaming\Mozilla\Firefox\Profiles\07g08j9h.default\Extensions\toolbar@shopathome.com.xpi
C:\Users\cyg_server\AppData\Local\Google\Chrome\User Data\Default\Extensions\aiimdkdngfcipjohbjenkahhlhccpdbc
C:\Users\cyg_server\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm
C:\Windows\System32\Drivers\awrblqnb.sys

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Clear your cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Restart Chrome.
===

Update the programs using the the instructions for each of the appropriate program.

JAVA

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882
===

ADOBE SHOCKWARE

Navigate to this page and follow the instructions to get the latest version.
https://www.adobe.com/shockwave/welcome/

=====

ADOBE AIR

Navigate to this page and follow the instructions to get the latest version.
https://get.adobe.com/air/

Remove them via the Control Panel >Programs > Programs and Features if still present.
Adobe AIR (HKLM-x32\...\Adobe AIR) (Version: 17.0.0.144 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM-x32\...\Adobe Shockwave Player) (Version: 12.1.1.151 - Adobe Systems, Inc.)
Java 7 Update 55 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F83217055FF}) (Version: 7.0.550 - Oracle)
===

Please post the Fislog.txt and let me know what problem persists with this computer.

#3 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 26 November 2016 - 11:19 AM

ok i did everything you said  I updated adobe,java, and shockwave except with chrome, when i try to launch i get box that comes up and says. " The program can't start because dbghelp.dll is missing from your computer"

 

Thank you for your help

 

 

 

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 27 November 2016 - 09:56 AM


The program can't start because dbghelp.dll is missing from your computer


Lets find out if you have a good copy on your computer.

Please run the Farbar Recovery Scan Tool. Enter dbghelp.dll in the Search Box and hit the File Search button.
Post the content of the Search.txt in your next reply.

#5 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 27 November 2016 - 11:48 AM

ok here it is

Attached Files



#6 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 01 December 2016 - 10:16 AM

hello?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 02 December 2016 - 09:16 AM

Sorry about this late reply. I did see you post and I had prepared an answer. I must have been distracted and did not sent it.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
CloseProcesses:
Replace: C:\Windows\winsxs\x86_microsoft-windows-imageanalysis_31bf3856ad364e35_6.1.7601.17514_none_4a6381a588654ba6\dbghelp.dll C:\Windows\System32\dbghelp.dll

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is Chrome now?

p.s.
I normally answer my topics within 36 hours.
Do not hesitate to contact when it happens again.

#8 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 02 December 2016 - 10:24 AM

The error message went away (dbghelp.dll) but it wont start, so re downloaded chrome setup and ran and nothing. Its weird as I tried to download Avast and during setup it stops.

Attached Files



#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 03 December 2016 - 07:53 AM

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Download Farbar's Service Scanner utility
http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/
and Save to your Desktop.
If using Windows 7 or Vista, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===

Post the logs and let me know what problem persists.

#10 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 03 December 2016 - 06:54 PM

still same thing. in fact when zoek.exe launched it got stuck in ending with same message when trying to killtask.exe part with same message with dgbhelp.dll

Attached Files



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 04 December 2016 - 08:34 AM

Check the integrity of the operating system files.
How to run sfc /Scannow
http://support.microsoft.com/kb/929833

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>

#12 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 04 December 2016 - 04:15 PM

chrom now working but when i tried to open or upload cbs log it said i had no access and in my menu i no longer have run this as admin?



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 05 December 2016 - 10:00 AM

The file is probably very large.

If all is well forget about it.

#14 nycpsychic

nycpsychic
  • Topic Starter

  • Members
  • 57 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 05 December 2016 - 11:06 AM

LOL, ok thank you so much for your help :)



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,179 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:12 PM

Posted 05 December 2016 - 02:26 PM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users