Help please- computer overrun by Erika (playing random music)

[Quirkymac]

Erika?  Erika?   I think we killed Erika!!!

Thank you so much for your expertise....will wait until that FRST scan is complete and your all clear then will get Oliver on to retrieve his homework..

No odd behaviours noted but then have only just been using this browser window and running the scans thus far.

QM

FRST.txt

Addition.txt

[kevinf80]

Logs look good, if no remaining issues or concerns continue to clean up:

Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down: "Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked:   Remove disinfection tools <----- this will remove tools we may have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful.... Answers to Common Security Questions and best Practices Do I need a Registry Cleaner? Take care and surf safe Kevin...

[Quirkymac]

Thanks all done. Thanks for all your help with this one.   A pint to that man!

[kevinf80]

You`re very welcome, comeback anytime...

Regards,

Kevin..

[Quirkymac]

Was hoping I wouldn't need to come back so soon but Malwarebytes AMW is picking up some webpage redirects and blocking them.   

[Quirkymac]

and for some reason I can't open MWB AMW any longer.   It's running and there is a tray icon - plus it's popping up with notifications that it's blocking some outbound issues.

[kevinf80]

Normally when Malwarebytes opens we can have a look at the blocked logs to see what is being blocked:

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

As you cannot open Malwarebytes for that information can you post a screen shot of a block as it happens...

 

[Quirkymac]

Ok....I just restarted the computer and now the realtime blocking doesn't seem to be running.

I did manage to start windows into safe mode (with networking) and in that mode I was able to run malwarebytes.

 

I will restart into safe mode and see if I can get in to look at the logs and post them here.

 BRB

 

[kevinf80]

Its the website block logs we need to see, maybe the last three..

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

 

[Quirkymac]

Ok I wasn't able to see any intercepts and get screen shots (felt like the computer knew when I was watching and wasn't pinging the web addresses).

I was able to restart into safemode with networking and MWB was able to be run perfectly.  Ran another scan and had no issues.

Then back to normal boot and again I couldn't get MWB to run.

I downloaded MWB clean from the MWB website and ran that and as a result of that was able to install another copy.

That is working fine now with a normal login.

 

I will keep an eye open and see if anything weird happens again.  Fingers cross all ok at present (again)

[kevinf80]

Thanks for the update, let me know how things pan out....

[Quirkymac]

I'm away at Cub Scout camp until early next week, so won't be near the computer for a while.   Will get back on track and post those logs when I get back. 

[kevinf80]

Thanks for the update, i`ll just leave you thread open for when you comeback....

[Quirkymac]

I'm back and have the website that was blocked.  I'm not sure whether I should be concerned by this or not.  But this is the website that kept getting blocked a while back.

 

 

 

blocked website.txt

[kevinf80]

The block does indicate a possible infection:

C:\Program Files (x86)\Google\Chrome\Application\chrome334.exe

Open Malwarebytes Anti-Malware.   On the Settings tab > Protection Scroll to and make sure the following are selected: Scan for Rootkits Scan within Archives   Scroll further to Potential Threat Protection make sure the following are set as follows: Potentially Unwanted Programs (PUP`s) set as :- Always detect PUP`s (recommended) Potentially Unwanted Modifications (PUM`s) set as :- Alwaysdetect PUM`s (recommended)   Click on the Scan make sure Threat Scan is selected, A Threat Scan will begin. When the scan is complete if anything is found make sure that the first checkbox at the top is checked (that will automatically check all detected items), then click on the Quarantine Selected Tab If asked to restart your computer to complete the removal, please do so When complete click on Export Summary after deletion (bottom-left corner) and select Copy to Clipboard. Wait for the prompt to restart the computer to appear, then click on Yes. After the restart once you are back at your desktop, open MBAM once more to retrieve the log. To get the log from Malwarebytes do the following:   Click on the Reports tab > from main interface. Double click on the Scan log which shows the Date and time of the scan just performed. Click Export > From export you have two options: Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply   Use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply… Thanks, Kevin..

 

 

[Quirkymac]

I submitted the file to virustotal.com for analysis and it comes back as a genuine signed copy of Chrome.exe

 

However it is a hidden file and has a file size of 1553Kb compared to Chrome.exe in the same folder being only 153Kb

 

That makes me think it is being run with some modifiers somewhere which is causing the redirect.  Does that sound right?

 

I've run the full scans (as requested above including rootkits, archives, PUPS, PUMS etc) and it's passed muster over the past 5 days of scheduled scans.

I'm currently rerunning the scan manually but expect it to come back clear.  (update - scan just completed and looks all clear - report attached)

The behaviour occurs whenever we click the chrome icon to start a new chrome page when Chrome is not already opened.

114.txt

[Quirkymac]

https://www.virustotal.com/en/file/aa53ffb6fda174b3999a2b637ed9bde70ae2d7c7e1d19af95fb605c420bf2efc/analysis/1523438823/

 

That is the analysis of the chrome334.exe

 

 

And a correction to my above posting.  MWB is only catching outbound redirects when I click on any of my bookmarks.   NOT as I first thought, when I first open Chrome

[Quirkymac]

MWB has intercepted 35 redirects in the past 12 hours of use.

[Quirkymac]

Not sure if this is relevant or not but when I open a single chrome browser page I get 7 or 8 versions of Chrome334.exe that start running (as viewed in task manager).

 

I hope this is ok....I am sitting here feeling the need to do something....I am currently running an EMSISOFT scan which has found a couple of things (1/2 way through at present)

Trojan.agent.CXBA(B) in Appdata\local\install.dll  (PUP)

Application.JS,MINER.C(B) in appdata\local\opera software\cache\ (Malware)

JS:Trojan.JS.AGENT.SFN(B) in .appdata.....\firefox\profiles\ (PUP)

 

I wasn't able to run that scan if rootkit was ticked...the scan just froze.  Unticking rootkit allowed me to at least start the scan.

 

again sorry if I've done the wrong thing.  At this stage the scan is set to report only (i.e. not to quarantine) - I didn't want to mess with your process.

[Quirkymac]

scan_180411-205458.txt

[Quirkymac]

Am off to bed....let me know what I next need to do.

[kevinf80]

Make a clean install of Google Chrome, see if that makes any difference:

If your Chrome Bookmarks are important do this first: Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks..... Continue for a clean install: Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html Next, Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter... In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard" A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server... Continue to next step to completely Uninstall Chrome.... Next. Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!! Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata) For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Next, Install Google Chrome : Next, Import your Bookmarks... (instructions in the first step) Next, Install uBlock Origin for Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en Does that help, make any difference...   Thanks,   Kevin

[Quirkymac]

I can't delete the folder in this instruction

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

that folder includes picasa backup data and all sorts of other stuff.

 

If I try to delete the C:\Users\Your user name\Appdata\Local\GOOGLE\Chrome folder it tells me I don't have permission to do this (despite having ownership and full control of that folder)

 

[Quirkymac]

Ok I couldn't delete the GOOGLE folder in my appdata\local folder.

 

 

I have followed all the other instructions and made a clean install of Chrome.

 

The good news is there are no more redirects from bookmarks (since that change).

MWB was left scanning last night and found another couple of issues scan attached

 

 

threats.txt

[kevinf80]

Picasa is retired...? https://picasa.google.com/

Can you move that data..?

Download BlitzBlank from here: http://www.bleepingcomputer.com/download/blitzblank/dl/108/ and save it to your desktop. Right click on Blitzblank.exe select "Run as Administrator" Click OK at the warning (and take note of it, this is a VERY powerful tool!). Click the Script tab and copy/paste the following text there: DeleteFolder: C:\Users\Your user name\Appdata\Local\GOOGLE Click Execute Now. An alert will ask "You are about to delete files, are you sure to proceed" Select OK to proceed A system reboot warning will open, it will say "Please close all running applicatons to avoid data loss" Select OK to proceed Your computer will need to reboot in order to do the fixes When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\