Jump to content
lysprnm

[NEED HELP] How to remove 'Chromium' Malware and 'oobelibMkey.log' ?

Recommended Posts

Hello,

I would really appreciate some helps as my laptop seems infected with Malware...

I never wanted to download something illegal, so when I did not want to buy the software, I will always try to download the free version. I read the description and it was written that this is the lite version of the software, so it is completely free. Today I think I missed this one since when I tried to install, suddenly there is kind of web browser called 'Chromium' popped up like 2-3 times. I tried to close it and I did not know it is automatically pinned on the taskbar. When I see the task manager, there is 'Chromium Host Executable' as shown below:

1.thumb.png.b0cae002d8a328f9e08e6449ab7b2f31.png

I tried to end task but it does not work.

I also tried to find the program to be uninstalled but it does not shown in the uninstall program. Yet, it happen to be found in the AppData\Local. So I deleted the file and the computer demand to be restart. After restart, the document is gone but the 'Chromium Host Executable' still shown in task manager. Then when I checked the AppData\Local, there is strange file shown:

2.thumb.png.69e31dc17e8cee3dc21305417376509c.png

There are IconChache, IconChace.db.backup, oobelibMkey, Resmon also files Temp, mbam and mbamtray. I never see there files before. I did not open this file because I am afraid this will cause harm to my computer. I already did full scan using my antivirus and Malwarebytes, yet nothing happened. So far I did not experience something strange on my computer but I am afraid this might affect the later on.

I was hoping for a quick answer as I am out of things to do. I downloaded FRST and did a scan, files are attached.

I would really appreciate for your kind help.

Note: as I aware of these files, I immediately copy all the data into my harddisk, and delete all my work file from my computer. Will the malware also get inside the harddisk?

Thanks,

Lys.

 

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hi,

Remove this program in bold via the Control Panel > Programs > Programs and Features.
SMADAV version 13.0.1 (HKLM-x32\...\{8B9FA5FF-3E61-4658-B0DA-E6DDB46D6BAD}_is1) (Version: 13.0.1 - Smadsoft)
===

Please download the attached Fixlist.txt file to  the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

fixlist.txt

Share this post


Link to post
Share on other sites

Hello Nasdaq,

Appreciate your fast respond. I have uninstall the programs and I have done the fix and this is the log:

Fix result of Farbar Recovery Scan Tool (x64) Version: 12-10-2019 02
Ran by purnamaalisya (17-10-2019 08:13:52) Run:1
Running from C:\Users\Khaidir Barzah\Downloads
Loaded Profiles: purnamaalisya (Available Profiles: purnamaalisya)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
(Smadsoft) [File not signed] C:\Program Files (x86)\SMADAV\SM?RTP.exe
(Smadsoft) [File not signed] C:\Program Files (x86)\SMADAV\SM?RTP.exe
(Smadsoft) [File not signed] C:\Program Files (x86)\SMADAV\SM?RTP.exe
(Zainuddin Nafarin -> Smadav Software) C:\Program Files (x86)\SMADAV\SmadavProtect64.exe
HKLM-x32\...\Run: [SM?RT-Protection] => C:\Program Files (x86)\Smadav\SM?RTP.exe [1977424 2019-09-12] (Smadsoft) [File not signed]
HKU\S-1-5-21-939521854-588916247-3879262771-1002\...\Run: [Chromium] => "c:\users\khaidir barzah\appdata\local\chromium\application\chrome.exe" --auto-launch-at-startup --profile-directory="Default" --restore-last-session
CHR HKLM\SOFTWARE\Policies\Google: Restriction <==== ATTENTION
Task: {B3E52D6F-8F31-4E79-B72E-606DBCB2E37C} - System32\Tasks\smadav => C:\Program Files (x86)\Smadav\SM?RTP.exe [1977424 2019-09-12] (Smadsoft) [File not signed]
Task: {E4B2E84D-BF36-4B49-B4BD-AEF4DF511F94} - \Microsoft\Windows\UNP\RunCampaignManager -> No File <==== ATTENTION
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  No File
FF HKLM-x32\...\Firefox\Extensions: [dpmaxz_ng@jetpack] - C:\Program Files (x86)\HP\HP ProtectTools Security Manager\Bin\BrowserExt\dpchrome => not found
ContextMenuHandlers3: [SmadExt] -> {8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => C:\Program Files (x86)\SMADAV\SmadExtc64.dll [2017-06-08] (Zainuddin Nafarin -> Smadsoft)
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
ContextMenuHandlers6: [SmadExt] -> {8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => C:\Program Files (x86)\SMADAV\SmadExtc64.dll [2017-06-08] (Zainuddin Nafarin -> Smadsoft)
FirewallRules: [{70AFF219-B2DB-4BC2-8E30-E79FCBA2C595}] => (Allow) C:\Program Files\Mozilla Firefox\firefox.exe No File
FirewallRules: [{16D9CDB2-3675-4834-B374-0F99115E00C8}] => (Allow) C:\Users\Khaidir Barzah\AppData\Local\LINE\bin\5.8.0.1706\LineUpdater.exe No File
FirewallRules: [{245C35C1-90C4-4EB2-8856-667EA7B0BA88}] => (Allow) C:\Users\Khaidir Barzah\AppData\Local\LINE\bin\5.8.0.1706\LineUpdater.exe No File
FirewallRules: [{030F7F69-A619-45AB-8931-473F2F6B39AA}] => (Allow) C:\Users\Khaidir Barzah\AppData\Local\LINE\bin\5.8.0.1706\LINE.exe No File
FirewallRules: [{493C7893-FE86-4489-998D-EBD1AA33533F}] => (Allow) C:\Users\Khaidir Barzah\AppData\Local\LINE\bin\5.8.0.1706\LINE.exe No File
FirewallRules: [{80FDF41A-D174-45E8-A2B8-5DF7673B3C0F}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe No File
FirewallRules: [{F2DA0D09-970D-4ED1-806B-8FC6739A2C6B}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe No File
FirewallRules: [{FAD1E532-DCD7-4C88-9A8F-0B88C1BE7B4A}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe No File
FirewallRules: [{CBE507C4-26F0-4D78-BB11-CE51A6C45389}] => (Allow) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe No File
FirewallRules: [{2ACE0536-8620-43D6-A169-07BD487C72CD}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe No File
FirewallRules: [{8F178EEB-7D9A-4C5B-A920-CBFA1EC10015}] => (Allow) C:\Program Files (x86)\Bonjour\mDNSResponder.exe No File
FirewallRules: [{512BDF3E-6F09-4F20-9E2E-E66A9F7D29B9}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe No File
FirewallRules: [{81F3D841-47AB-44CB-983D-A26DBACE41F5}] => (Allow) C:\Program Files\Bonjour\mDNSResponder.exe No File
C:\Program Files (x86)\SMADAV

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\SMADAV\SM?RTP.exe => No running process found
C:\Program Files (x86)\SMADAV\SM?RTP.exe => No running process found
C:\Program Files (x86)\SMADAV\SM?RTP.exe => No running process found
C:\Program Files (x86)\SMADAV\SmadavProtect64.exe => No running process found
"HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\SM?RT-Protection" => not found
"HKU\S-1-5-21-939521854-588916247-3879262771-1002\Software\Microsoft\Windows\CurrentVersion\Run\\Chromium" => removed successfully
HKLM\SOFTWARE\Policies\Google => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B3E52D6F-8F31-4E79-B72E-606DBCB2E37C}" => not found
"C:\WINDOWS\System32\Tasks\smadav" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\smadav" => not found
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4B2E84D-BF36-4B49-B4BD-AEF4DF511F94}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4B2E84D-BF36-4B49-B4BD-AEF4DF511F94}" => removed successfully
"HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UNP\RunCampaignManager" => not found
HKLM\Software\Classes\PROTOCOLS\Handler\sacore => removed successfully
HKLM\Software\Classes\CLSID\{5513F07E-936B-4E52-9B00-067394E91CC5} => not found
"HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\dpmaxz_ng@jetpack" => removed successfully
HKLM\Software\Classes\AllFileSystemObjects\ShellEx\ContextMenuHandlers\SmadExt => not found
HKLM\Software\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => not found
HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\igfxcui => removed successfully
HKLM\Software\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => not found
HKLM\Software\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt => not found
HKLM\Software\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C} => not found
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{70AFF219-B2DB-4BC2-8E30-E79FCBA2C595}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{16D9CDB2-3675-4834-B374-0F99115E00C8}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{245C35C1-90C4-4EB2-8856-667EA7B0BA88}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{030F7F69-A619-45AB-8931-473F2F6B39AA}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{493C7893-FE86-4489-998D-EBD1AA33533F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{80FDF41A-D174-45E8-A2B8-5DF7673B3C0F}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{F2DA0D09-970D-4ED1-806B-8FC6739A2C6B}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{FAD1E532-DCD7-4C88-9A8F-0B88C1BE7B4A}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{CBE507C4-26F0-4D78-BB11-CE51A6C45389}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{2ACE0536-8620-43D6-A169-07BD487C72CD}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{8F178EEB-7D9A-4C5B-A920-CBFA1EC10015}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{512BDF3E-6F09-4F20-9E2E-E66A9F7D29B9}" => removed successfully
"HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\\{81F3D841-47AB-44CB-983D-A26DBACE41F5}" => removed successfully
"C:\Program Files (x86)\SMADAV" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 11034624 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 79777679 B
Java, Flash, Steam htmlcache => 1124 B
Windows/system/drivers => 7770049 B
Edge => 12308735 B
Chrome => 406717352 B
Firefox => 56436284 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 6656 B
Users => 6656 B
ProgramData => 6656 B
Public => 6656 B
systemprofile => 207580 B
systemprofile32 => 207580 B
LocalService => 248756 B
NetworkService => 248756 B
Khaidir Barzah => 225129782 B

RecycleBin => 3796584 B
EmptyTemp: => 766.7 MB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 08:14:51 ====

 

 

Note that I still see the 'Chromium Executable Host' in my task manager and the suspicious file still in the same folder.
Will it harm the computer?

Thank you,

Lys.

Share this post


Link to post
Share on other sites

Hi,

Chromium Executable Host is running from these processes

(Autodesk, Inc. -> Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\AcWebBrowser.exe


(Autodesk, Inc. -> Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\AcWebBrowser.exe
(Autodesk, Inc. -> Autodesk) C:\Program Files (x86)\Autodesk\Autodesk Desktop App\AcWebBrowser\AcWebBrowser.exe

Read about it.
https://www.file.net/process/acwebbrowser.exe.html

Not sure if you required or not.

Disable it if causing an issue.

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.