virus - attention your computer may

Win7 pro OS 32-bit

This is one crazy virus.  The pop-ups usually happens when I try to attach a file in Chrome.  Also when I go to a site like www.bankofamerica.com it will pop up with an ad.  See attached pics.

Things I've tried:

Malwarebytes in safemode
Superanti-spyware
ADWcleaner
Followed instructions on Google to reset Chrome browser and delete extensions.

There are a bunch of .exe files in my c:\users\<username>\Appdata\Local\Temp.  I stopped all the processes and was able to delete everything inside that folder.  Went into msconfig and made sure nothing was running at startup.  It actually appears like the virus is gone, however after a reboot or several hours the issue returns.

I'm sure it's something hiding in the registry that I have to delete manually.  anyone gotten rid of this particular virus before?
3-9-15-After-Safe-Mode.png
3-9-15-PM-Virus.png
Ads-popping-up--.png
LVL 1
jkimzlgAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Thomas Zucker-ScharffSolution GuideCommented:
have you tried running chameleon by MBAM? It kills known running rogue processes,  updates MBAM,  and finally runs a scan with MBAM. download from malwarebytes.org/chameleon.  run the svchosts file on the chameleon directory.  when it is done you might want to scam with SPYBHOREMOVER from securityxploded.com and remove BHOS you don't recognize or use.
0
Thomas Zucker-ScharffSolution GuideCommented:
in not on
0
dbruntonQuid, Me Anxius Sum?  Illegitimi non carborundum.Commented:
I'm assuming this only happens in Chrome and not in any other browser.  If I'm wrong then ignore the following.

Remove Chrome and then re-run all of the anti-virus applications.  Also clean out Appdata again.

Then download Chrome from https://www.google.com/chrome/browser/desktop/ and only from there and reinstall.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

jcimarronCommented:
jkimzlg --
Run MalwareBytes in normal mode, not safe mode.

Have you looked in Control Panel|Programs and Features to see if anything unexpected is installed?

Run AutoRuns to see what really running at boot.
http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
0
nobusCommented:
i hava had good results with roguekiller  -worth a try :  http://majorgeeks.com/RogueKiller_d6983.html
0
jkimzlgAuthor Commented:
the user that had this issue is in another state, couldn't resolve remotely, so he's actually sending me this laptop and I'm going to find a way to eliminate the virus without wiping the hdd.
0
Thomas Zucker-ScharffSolution GuideCommented:
good luck - keep us posted.
0
jkimzlgAuthor Commented:
remote user bringing laptop to me April 27th
0
jkimzlgAuthor Commented:
wish I could say this ended well!

I slaved the drive, don't bother running Malwarebytes, SuperAntiSpyware, tdskiller, HouseCall (which trend claims will eliminate this).  It won't get rid of it.

The virus populates .exe file in this location C:\Users\<username>\AppData\Local\Temp.  To even have a shot at eliminating this virus you need to delete all the files in here.

CCleaner was helpful as it was able to see things running at startup that were not in msconfig.

Now the hard and dangerous part.  The only way to get rid of this virus is through the registry.  I got rid of the virus, but in doing so also caused the laptop to bsod every 20 minutes.  so I definately messed something up in the registry.  I wish I had more time with this laptop, but the remote user had to leave, so ended up giving him a new hdd w/ new OS (uggghhhh!!!!).

Places to look for this virus in the registry:

Look for any software programs in the registry like Crossbrowser, PC OPtimizer, etc.. and delete.  Also look here:

1) StartUp

C:\windows\start menu\programs\startup

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

* [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
"Common Startup"="C:\windows\start menu\programs\startup"

"Anything over here execute when you start up your computer"

2) Windows Scheduler:
Check for entries in the Scheduled Tasks, as well as via the AT command at a command prompt.

3) c:\windows\winstart.bat
'It basically behaves like a normal batch file, then only difference is that it can be used to delete files when you start up your computer

4) Registry :

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Whatever"="c:\runfolder\program.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Whatever"="c:\runfolder\program.exe"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkimzlgAuthor Commented:
.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.