Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chromium and other problems.


  • This topic is locked This topic is locked
7 replies to this topic

#1 JoaoMC22

JoaoMC22

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 07 January 2017 - 10:33 PM

If anyone doesn't know, Chromium is a malware that fakes google chrome with the purpose of filling you with ads, and it regenerates itself on the task manager.

 

Some days ago I downloaded this thing and blablabla[...] Accidentally installed chromium with it. I removed it using revo uninstaller, because I couldn't with the control panel. After some days it just appeared all of sudden again like, installed (???). However, I followed the same process, this time spyhunter showed a installer on the appdata, it was named like Sasa or something like that. (I removed it so I don't really remember); saying it was a type of malware or something like that would install programs without my knowledge, I removed it however, today I start the computer and the same crap is happening, but it's kinda worse now. Chromium is gone but it's the same, multiple task manager processes but now it spread to more than just Chrome, it's on steam, spotify and etc. Can anyone help me?

 

 

Attached File  sc2.png   39.7KB   0 downloads

 

 

Attached File  Screenshot_2.png   39.33KB   0 downloads

 

Attached File  Screenshot_2.png   39.33KB   0 downloads

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:53 PM

Posted 08 January 2017 - 09:44 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post both logs for my review.

Wait for further instructions.

#3 JoaoMC22

JoaoMC22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 08 January 2017 - 12:08 PM

The files are in my native language, if you need me to translate anything.

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:53 PM

Posted 08 January 2017 - 02:38 PM

Remove these programs in bold via the Control Panel > Programs > Programs and Features.
Chromium (HKLM-x32\...\{0E06E6C6-5E86-3746-EF06-47C63F869446}) (Version: - )
KMSpico (HKLM\...\{8B29D47F-92E2-4C20-9EE0-F710991F5D7C}_is1) (Version: - )
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restrição <======= ATENÇÃO
CHR HKLM\SOFTWARE\Policies\Google: Restrição <======= ATENÇÃO
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restrição <======= ATENÇÃO
HKU\S-1-5-21-997670921-3479621958-4119428465-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restrição <======= ATENÇÃO
FF SearchPlugin: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\8jlqpfqg.default\searchplugins\yhs.xml [2017-01-04]
CHR Extension: (Avast SafePrice) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\eofcbnmajmjmplflapaojjnihcjkigck [2016-11-14]
CHR Extension: (Avast Online Security) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\gomekmidlodglbbmalcneegieacbdmki [2016-12-15]
CHR Extension: (Pagamentos da Chrome Web Store) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-10-20]
CHR Extension: (Chrome Media Router) - C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-02]
CHR HKLM-x32\...\Chrome\Extension: [eofcbnmajmjmplflapaojjnihcjkigck] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx <não encontrado (a)>
CHR HKLM-x32\...\Chrome\Extension: [kofkpgiaknijknhajbhnghkodiccblkg] - hxxps://clients2.google.com/service/update2/crx
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
S3 VGPU; System32\drivers\rdvgkmd.sys [X]
Task: {600B60E7-C1B6-42C8-A753-51FF189947C0} - System32\Tasks\AutoPico Daily Restart => C:\Program Files\KMSpico\AutoPico.exe [2015-08-30] (@ByELDI)
AlternateDataStreams: C:\ProgramData\.rdata:X [526]
AlternateDataStreams: C:\Users\Todos os Usuários\.rdata:X [526]

C:\Program Files\KMSpico

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.


Please let me know what problem persists with this computer.

#5 JoaoMC22

JoaoMC22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 08 January 2017 - 03:36 PM

I removed both chromium and the other program but there's multiple chrome.exe, svchost.exe and other processes multiplied 2 or 3 times on the task manager, like steamwebhelper.exe*32, discord.exe*32 and spotify.exe *32, the issue is going on still.

Attached Files


Edited by JoaoMC22, 08 January 2017 - 03:38 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:53 PM

Posted 09 January 2017 - 08:14 AM

That may not be a problem.

Every Chrome Extensions, every open windows or processes for programs will create these xxx*32 entries.

What other issues do you have with this computer.

#7 JoaoMC22

JoaoMC22
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:53 PM

Posted 09 January 2017 - 02:12 PM

 I'll inform if I have any other issues with the related problem of this topic. Thanks for the support!


Edited by JoaoMC22, 09 January 2017 - 03:39 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:53 PM

Posted 10 January 2017 - 07:48 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users