We help IT Professionals succeed at work.

virus  - attention your computer may

Win7 pro OS 32-bit

This is one crazy virus.  The pop-ups usually happens when I try to attach a file in Chrome.  Also when I go to a site like www.bankofamerica.com it will pop up with an ad.  See attached pics.

Things I've tried:

Malwarebytes in safemode
Superanti-spyware
ADWcleaner
Followed instructions on Google to reset Chrome browser and delete extensions.

There are a bunch of .exe files in my c:\users\<username>\Appdata\Local\Temp.  I stopped all the processes and was able to delete everything inside that folder.  Went into msconfig and made sure nothing was running at startup.  It actually appears like the virus is gone, however after a reboot or several hours the issue returns.

I'm sure it's something hiding in the registry that I have to delete manually.  anyone gotten rid of this particular virus before?
3-9-15-After-Safe-Mode.png
3-9-15-PM-Virus.png
Ads-popping-up--.png
Comment
Watch Question

have you tried running chameleon by MBAM? It kills known running rogue processes,  updates MBAM,  and finally runs a scan with MBAM. download from malwarebytes.org/chameleon.  run the svchosts file on the chameleon directory.  when it is done you might want to scam with SPYBHOREMOVER from securityxploded.com and remove BHOS you don't recognize or use.
in not on
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.

Commented:
I'm assuming this only happens in Chrome and not in any other browser.  If I'm wrong then ignore the following.

Remove Chrome and then re-run all of the anti-virus applications.  Also clean out Appdata again.

Then download Chrome from https://www.google.com/chrome/browser/desktop/ and only from there and reinstall.
Top Expert 2013

Commented:
jkimzlg --
Run MalwareBytes in normal mode, not safe mode.

Have you looked in Control Panel|Programs and Features to see if anything unexpected is installed?

Run AutoRuns to see what really running at boot.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
Distinguished Expert 2019

Commented:
i hava had good results with roguekiller  -worth a try :  http://majorgeeks.com/RogueKiller_d6983.html

Author

Commented:
the user that had this issue is in another state, couldn't resolve remotely, so he's actually sending me this laptop and I'm going to find a way to eliminate the virus without wiping the hdd.
good luck - keep us posted.

Author

Commented:
remote user bringing laptop to me April 27th
Commented:
wish I could say this ended well!

I slaved the drive, don't bother running Malwarebytes, SuperAntiSpyware, tdskiller, HouseCall (which trend claims will eliminate this).  It won't get rid of it.

The virus populates .exe file in this location C:\Users\<username>\AppData\Local\Temp.  To even have a shot at eliminating this virus you need to delete all the files in here.

CCleaner was helpful as it was able to see things running at startup that were not in msconfig.

Now the hard and dangerous part.  The only way to get rid of this virus is through the registry.  I got rid of the virus, but in doing so also caused the laptop to bsod every 20 minutes.  so I definately messed something up in the registry.  I wish I had more time with this laptop, but the remote user had to leave, so ended up giving him a new hdd w/ new OS (uggghhhh!!!!).

Places to look for this virus in the registry:

Look for any software programs in the registry like Crossbrowser, PC OPtimizer, etc.. and delete.  Also look here:

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

Author

Commented:
.