• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

virus - attention your computer may

Win7 pro OS 32-bit

This is one crazy virus.  The pop-ups usually happens when I try to attach a file in Chrome.  Also when I go to a site like www.bankofamerica.com it will pop up with an ad.  See attached pics.

Things I've tried:

Malwarebytes in safemode
Superanti-spyware
ADWcleaner
Followed instructions on Google to reset Chrome browser and delete extensions.

There are a bunch of .exe files in my c:\users\<username>\Appdata\Local\Temp.  I stopped all the processes and was able to delete everything inside that folder.  Went into msconfig and made sure nothing was running at startup.  It actually appears like the virus is gone, however after a reboot or several hours the issue returns.

I'm sure it's something hiding in the registry that I have to delete manually.  anyone gotten rid of this particular virus before?
3-9-15-After-Safe-Mode.png
3-9-15-PM-Virus.png
Ads-popping-up--.png
0
jkimzlg
Asked:
jkimzlg
1 Solution
 
Thomas Zucker-ScharffSystems AnalystCommented:
have you tried running chameleon by MBAM? It kills known running rogue processes,  updates MBAM,  and finally runs a scan with MBAM. download from malwarebytes.org/chameleon.  run the svchosts file on the chameleon directory.  when it is done you might want to scam with SPYBHOREMOVER from securityxploded.com and remove BHOS you don't recognize or use.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
in not on
0
 
dbruntonCommented:
I'm assuming this only happens in Chrome and not in any other browser.  If I'm wrong then ignore the following.

Remove Chrome and then re-run all of the anti-virus applications.  Also clean out Appdata again.

Then download Chrome from https://www.google.com/chrome/browser/desktop/ and only from there and reinstall.
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
jcimarronCommented:
jkimzlg --
Run MalwareBytes in normal mode, not safe mode.

Have you looked in Control Panel|Programs and Features to see if anything unexpected is installed?

Run AutoRuns to see what really running at boot.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
 
nobusbiljart fanCommented:
i hava had good results with roguekiller  -worth a try :  http://majorgeeks.com/RogueKiller_d6983.html
0
 
jkimzlgAuthor Commented:
the user that had this issue is in another state, couldn't resolve remotely, so he's actually sending me this laptop and I'm going to find a way to eliminate the virus without wiping the hdd.
0
 
Thomas Zucker-ScharffSystems AnalystCommented:
good luck - keep us posted.
0
 
jkimzlgAuthor Commented:
remote user bringing laptop to me April 27th
0
 
jkimzlgAuthor Commented:
wish I could say this ended well!

I slaved the drive, don't bother running Malwarebytes, SuperAntiSpyware, tdskiller, HouseCall (which trend claims will eliminate this).  It won't get rid of it.

The virus populates .exe file in this location C:\Users\<username>\AppData\Local\Temp.  To even have a shot at eliminating this virus you need to delete all the files in here.

CCleaner was helpful as it was able to see things running at startup that were not in msconfig.

Now the hard and dangerous part.  The only way to get rid of this virus is through the registry.  I got rid of the virus, but in doing so also caused the laptop to bsod every 20 minutes.  so I definately messed something up in the registry.  I wish I had more time with this laptop, but the remote user had to leave, so ended up giving him a new hdd w/ new OS (uggghhhh!!!!).

Places to look for this virus in the registry:

Look for any software programs in the registry like Crossbrowser, PC OPtimizer, etc.. and delete.  Also look here:

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
0
 
jkimzlgAuthor Commented:
.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now