Jump to content

Recommended Posts

I have a computer in our enterprise infected with PUP.Optional.ArcadeYum.  The object scanned is found in the user's Chrome extensions.

The official Malwarebytes removal guide indicates that the agent will automatically clean this, however, it keeps reappearing every day.

Could this be because the user synchronizes her extensions with her Google account and brings it in every day?

Anyone else having this problem where the threat reappears every day on the same computer, even with daily scans/quarantine/removal?

Link to post
Share on other sites

Hello IslandCountyDBA and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Make a clean install of Google Chrome browser....

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome from here: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

Next,

Download RKill from here: http://www.bleepingcomputer.com/download/rkill/

There are three buttons to choose from with different names on, select the first one and save it to your desktop.
 
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7/8/10, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this in your next reply.
  • If you do not see the black box flash on the screen delete the icon from the desktop and go back to the link for the download, select the next button and try to run the tool again, continue to repeat this process using the remaining buttons until the tool runs. You will find further links if you scroll down the page with other names, try them one at a time.
  • If the tool does not run from any of the links provided, please let me know.


Next,

Please open Malwarebytes Anti-Malware.
 
  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete Apply Actions to any found entries.
  • Wait for the prompt to restart the computer to appear (if applicable), then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.


To get the log from Malwarebytes do the following:
 
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…



If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.
  • Double-click mbam-setup and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
  • Launch Malwarebytes Anti-Malware
  • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish. Follow the instructions above....


Next,

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 
  • Double-click to run it. When the tool opens click Yes to disclaimer.(Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
  • Make sure Addition.txt is checkmarked under "Optional scans"
  • Press Scan button to run the tool....
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The tool will also make a log named (Addition.txt) Please attach those logs to your reply.


Let me see those logs in your reply...

Thank you,

Kevin...
Link to post
Share on other sites

Some of your instructions don't seem to apply to our version of Malwarebytes. We're running Malwarebytes Enterprise, and each client has an agent and we launch the Scanner app.  There is no History tab.  That being said, I've tried a similar procedure which involves using the Malwarebytes Anti-Rootkit tool, uninstalling/cleaning Chrome and reinstalling.  Will post a reply detailing the entire procedure if the subsequent scan turns up clean.  Thank you.

Link to post
Share on other sites

Cautiously optimistic that this has been removed.  Note that we're using Malwarebytes Enterprise edition, and I have access to the Scanner tool on each infected endpoint, not the consumer version of Malwarebytes.

Here's what I did.

  1. Reset the Chrome sync settings as instructed.
  2. Next, I located the infected Google directory under the user's AppData\Local folder and removed it.
  3. Tried to uninstall Chrome (even though it wasn't running) and it told me to close any Chrome windows before uninstalling.  This was puzzling so I opened Task Manager.
    1. There were several chrome.exe processes running. One by one, I terminated these processes.
    2. After terminating one instance, I got a popup in the System Tray that told me that ArcadeYum had terminated.  Interesting to say the least...
  4. After shutting down chrome.exe processes, I uninstalled Chrome successfully.
  5. Our firewall blocked most downloads of RKill.exe (SonicWall).  I did successfully download the RKill.zip.  I ran RKill twice but it did not respond in any way.
  6. Next, I realized there was no History tab in our MB Scanner tool. I did have the Malwarebytes Anti-Rootkit scanner (Beta) so I ran that instead.  After a while, it finished and indicated the system was clean.
  7. I ran the Farbar Recovery Scan Tool and was unable to find the log.  There were no alerts raised on the scan.
  8. I reinstalled Chrome and ran another scan.  This scan came up clean.

I suspect the cleaning of Chrome data combined with the uninstall/reinstall did the trick - especially since I saw a visible indication that the ArcadeYum process terminated.

I'll have the user restart her computer and watch the subsequent scans to verify that the threat is really gone.

 

Link to post
Share on other sites

  • Root Admin

Hello @IslandCountyDBA I see you're using MMC our Enterprise product. It's probably best that you obtain further support by opening a ticket on our Helpdesk directly.

Business Support

I will move your topic and the other one to the Business section of the forum where you can continue to work there, but most customers will probably want to work via email due to potentially sensitive information from computers.

Thank you

Ron

favicon-128.png
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.