1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Chrome self loads and shows video adds

By Rayss523
Aug 21, 2014
  1. I uninstalled chrome but it still reappears. If I ctrl+shift+esc and close the "rundll *32" and close chrome (browser.exe) it stops. I have found some of the malicious files under c:\users\ray\appdata\localLow then 2 folders "TellerHiggs" and "UtilityHiggs". Deleting these does nothing as they just reappear a few seconds later or on the next restart if I have stopped "rundll *32".

    I followed the basic steps in the sticky.

    malwarebytes+windows defender+and DDs all found nothing.

    LOGS Follow

    DDS (Ver_2012-11-20.01) - NTFS_AMD64
    Internet Explorer: 9.0.8112.16561 BrowserJavaVersion: 10.25.2
    Run by Ray at 13:56:58 on 2014-08-21
    Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.12279.9248 [GMT -4:00]
    AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
    AV: ESET Smart Security 6.0 *Disabled/Outdated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
    SP: ESET Smart Security 6.0 *Disabled/Outdated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
    FW: ESET Personal firewall *Disabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
    ============== Running Processes ===============
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    c:\Program Files\Microsoft Security Client\MsMpEng.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
    C:\Windows\system32\svchost.exe -k apphost
    C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
    C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
    C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe
    C:\Program Files\Microsoft Kinect Drivers\Service\KinectManagementService.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
    C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
    C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe
    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
    C:\Windows\system32\svchost.exe -k iissvcs
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
    C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe
    c:\Program Files\Microsoft Security Client\NisSrv.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\Windows\System32\svchost.exe -k LocalServicePeerNet
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Program Files (x86)\Internet Explorer\iexplore.exe
    ============== Pseudo HJT Report ===============
    uStart Page = hxxps://www.google.com/?gws_rd=ssl
    mWinlogon: Userinit = userinit.exe,
    BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
    BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    BHO: {95B7759C-8C7F-4BF1-B163-73684A933233} - <orphaned>
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
    uRun: [ModulatorPale] C:\Windows\System32\rundll32.exe "C:\Users\Ray\AppData\Local\ModulatorPale\ModulatorPale.dll",DllRegisterServer
    mPolicies-Explorer: NoActiveDesktop = dword:1
    mPolicies-Explorer: NoActiveDesktopChanges = dword:1
    mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    mPolicies-System: PromptOnSecureDesktop = dword:0
    IE: {22CC3EBD-C286-43aa-B8E6-06B115F74162} - C:\Program Files (x86)\Hewlett-Packard\Smart Print 2.0\smartprintsetup.exe
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
    TCP: NameServer =
    TCP: Interfaces\{C6389C87-C5E4-453D-8985-C719E4A7E009} : DHCPNameServer =
    TCP: Interfaces\{C827C2FB-FB1D-4535-9CAB-BBFFADB58A92} : DHCPNameServer =
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll
    SSODL: WebCheck - <orphaned>
    x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    x64-Run: [NvBackend] "C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe"
    x64-Run: [ShadowPlay] C:\Windows\System32\rundll32.exe C:\Windows\System32\nvspcap64.dll,ShadowPlayOnSystemStart
    x64-Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
    x64-Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
    x64-SSODL: WebCheck - <orphaned>
    ============= SERVICES / DRIVERS ===============
    R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-1-25 268512]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
    R2 ekrn;ESET Service;C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe [2013-3-21 1341664]
    R2 Garmin Core Update Service;Garmin Core Update Service;C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [2013-12-30 250712]
    R2 KinectManagement;Kinect Management;C:\Program Files\Microsoft Kinect Drivers\Service\KinectManagementService.exe [2013-8-20 98816]
    R2 MBAMScheduler;MBAMScheduler;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [2014-8-21 1809720]
    R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [2014-8-21 860472]
    R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2014-3-11 133928]
    R2 NvNetworkService;NVIDIA Network Service;C:\Program Files (x86)\NVIDIA Corporation\NetService\NvNetworkService.exe [2014-1-19 1631008]
    R2 NvStreamSvc;NVIDIA Streamer Service;C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [2014-1-19 21055432]
    R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2014-6-18 413128]
    R3 MBAMProtector;MBAMProtector;C:\Windows\System32\drivers\mbam.sys [2014-8-21 25816]
    R3 MBAMSwissArmy;MBAMSwissArmy;C:\Windows\System32\drivers\MBAMSwissArmy.sys [2014-8-21 122584]
    R3 MBAMWebAccessControl;MBAMWebAccessControl;C:\Windows\System32\drivers\mwac.sys [2014-8-21 63704]
    R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-3-11 347872]
    R3 NvStreamKms;NvStreamKms;C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [2014-6-2 20256]
    R3 nvvad_WaveExtensible;NVIDIA Virtual Audio Device (Wave Extensible) (WDM);C:\Windows\System32\drivers\nvvad64v.sys [2014-6-2 40392]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\System32\drivers\yk62x64.sys [2009-6-10 389120]
    S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2013-10-23 172192]
    S3 EasyAntiCheat;EasyAntiCheat;C:\Windows\System32\EasyAntiCheat.exe --> C:\Windows\System32\EasyAntiCheat.exe [?]
    S3 KinectCamera;Kinect for Windows Camera Driver;C:\Windows\System32\drivers\kinectcamera.sys [2013-8-20 192512]
    S3 RTCore64;RTCore64;C:\Program Files (x86)\EVGA Precision X\RTCore64.sys [2013-7-17 15176]
    S3 WSDScan;WSD Scan Support via UMB;C:\Windows\System32\drivers\WSDScan.sys [2009-7-13 25088]
    =============== Created Last 30 ================
    2014-08-21 17:42:32 75888 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7C0F1826-C2AD-4FDF-99A3-91B6A176328E}\offreg.dll
    2014-08-21 17:35:59 1169712 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{AD906865-E9F0-4112-AA9C-BD5C61E151DB}\gapaengine.dll
    2014-08-21 17:35:49 11319200 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7C0F1826-C2AD-4FDF-99A3-91B6A176328E}\mpengine.dll
    2014-08-21 17:29:11 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
    2014-08-21 17:28:43 -------- d-----w- C:\Program Files\Microsoft Security Client
    2014-08-21 17:28:17 374664 ----a-w- C:\Windows\System32\drivers\netio.sys
    2014-08-21 17:03:30 122584 ----a-w- C:\Windows\System32\drivers\MBAMSwissArmy.sys
    2014-08-21 17:03:03 91352 ----a-w- C:\Windows\System32\drivers\mbamchameleon.sys
    2014-08-21 17:03:03 63704 ----a-w- C:\Windows\System32\drivers\mwac.sys
    2014-08-21 17:03:03 25816 ----a-w- C:\Windows\System32\drivers\mbam.sys
    2014-08-21 17:03:02 -------- d-----w- C:\Program Files (x86)\Malwarebytes Anti-Malware
    2014-08-21 03:03:23 311808 ----a-w- C:\Windows\System32\msv1_0.dll
    2014-08-21 03:03:23 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
    2014-08-21 02:56:46 -------- d-----w- C:\Windows\System32\MRT
    2014-08-21 02:46:10 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
    2014-08-21 02:32:49 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
    2014-08-21 02:32:49 46080 ----a-w- C:\Windows\System32\atmlib.dll
    2014-08-21 02:32:49 367616 ----a-w- C:\Windows\System32\atmfd.dll
    2014-08-21 02:32:49 34304 ----a-w- C:\Windows\SysWow64\atmlib.dll
    2014-08-21 02:32:49 295424 ----a-w- C:\Windows\SysWow64\atmfd.dll
    2014-08-21 02:32:49 100864 ----a-w- C:\Windows\System32\fontsub.dll
    2014-08-21 02:26:30 80896 ----a-w- C:\Windows\System32\imagehlp.dll
    2014-08-21 02:26:30 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
    2014-08-21 02:26:30 5120 ----a-w- C:\Windows\System32\wmi.dll
    2014-08-21 02:26:30 22896 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
    2014-08-21 02:26:30 158720 ----a-w- C:\Windows\SysWow64\imagehlp.dll
    2014-08-21 02:19:45 -------- d-----w- C:\Users\Ray\AppData\Local\2K Games
    2014-08-21 02:17:58 1893224 ----a-w- C:\Windows\System32\drivers\tcpip.sys
    2014-08-21 02:16:55 714752 ----a-w- C:\Windows\System32\kerberos.dll
    2014-08-21 02:15:59 19968 ----a-w- C:\Windows\System32\drivers\usb8023.sys
    2014-08-21 02:11:17 77312 ----a-w- C:\Windows\System32\packager.dll
    2014-08-21 02:11:17 67072 ----a-w- C:\Windows\SysWow64\packager.dll
    2014-08-21 01:18:57 12872 ----a-w- C:\Windows\System32\bootdelete.exe
    2014-08-21 00:33:11 -------- d-----w- C:\ProgramData\HitmanPro
    2014-08-21 00:30:49 9460464 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
    2014-08-21 00:30:39 11319200 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{F8D36F96-34E0-4C7C-929F-996F9F366486}\mpengine.dll
    2014-08-21 00:27:26 -------- d-----w- C:\Users\Ray\AppData\Local\MFAData
    2014-08-21 00:27:26 -------- d-----w- C:\Users\Ray\AppData\Local\Avg2014
    2014-08-21 00:27:26 -------- d-----w- C:\ProgramData\MFAData
    2014-08-20 23:29:08 -------- d-----w- C:\ProgramData\Malwarebytes
    2014-08-20 21:00:44 -------- d-----w- C:\Windows\3F5C371F8EA24F259D3DD0B4526E3AEA.TMP
    2014-08-20 20:08:05 -------- d-----w- C:\Users\Ray\AppData\Local\ModulatorPale
    2014-08-16 22:19:05 -------- d-----w- C:\Users\Ray\AppData\Roaming\WizardWars
    2014-08-16 22:18:57 107552 ----a-w- C:\Windows\SysWow64\EasyAntiCheat.exe
    2014-08-12 05:05:33 -------- d-----w- C:\Program Files (x86)\LOLReplay
    ==================== Find3M ====================
    2014-08-21 02:46:10 265088 ----a-w- C:\Windows\System32\drivers\dxgmms1.sys
    2014-07-17 18:33:35 466456 ----a-w- C:\Windows\System32\wrap_oal.dll
    2014-07-17 18:33:35 122904 ----a-w- C:\Windows\System32\OpenAL32.dll
    2014-07-17 18:33:26 444952 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
    2014-07-17 18:33:26 109080 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
    2014-05-29 23:07:51 1291232 ----a-w- C:\Windows\SysWow64\nvspbridge.dll
    2014-05-29 23:07:51 1122312 ----a-w- C:\Windows\SysWow64\nvspcap.dll
    2014-05-29 23:07:38 1715176 ----a-w- C:\Windows\System32\nvspbridge64.dll
    2014-05-29 23:07:38 1279480 ----a-w- C:\Windows\System32\nvspcap64.dll
    ============= FINISH: 13:58:18.64 ===============

    Malwarebytes Anti-Malware
    Scan Date: 8/21/2014
    Scan Time: 1:12:29 PM
    Logfile: Malware.txt
    Administrator: Yes
    Malware Database: v2014.08.21.06
    Rootkit Database: v2014.08.16.01
    License: Trial
    Malware Protection: Enabled
    Malicious Website Protection: Enabled
    Self-protection: Disabled
    OS: Windows 7
    CPU: x64
    File System: NTFS
    User: Ray
    Scan Type: Threat Scan
    Result: Completed
    Objects Scanned: 307746
    Time Elapsed: 12 min, 19 sec
    Memory: Enabled
    Startup: Enabled
    Filesystem: Enabled
    Archives: Enabled
    Rootkits: Disabled
    Heuristics: Enabled
    PUP: Enabled
    PUM: Enabled
    Processes: 0
    (No malicious items detected)
    Modules: 0
    (No malicious items detected)
    Registry Keys: 0
    (No malicious items detected)
    Registry Values: 0
    (No malicious items detected)
    Registry Data: 0
    (No malicious items detected)
    Folders: 0
    (No malicious items detected)
    Files: 1
    PUP.Optional.Cgminer, C:\Users\Ray\Downloads\cgminer-3.12.3-windows.7z, Quarantined, [58e20dbce99285b1e8335ef16b96cd33],
    Physical Sectors: 0
    (No malicious items detected)

  2. Broni

    Broni Malware Annihilator Posts: 53,780   +368

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.


    [​IMG] I still need Attach.txt log from DDS.

    [​IMG] You're running two AV programs, MSE and Eset.
    You have to uninstall one of them.

    [​IMG] Download RogueKiller from one of the following links and save it to your Desktop:

    Link 1
    Link 2

    • Close all the running programs
    • Windows Vista/7/8 users: right click on RogueKiller.exe, click Run as Administrator
    • Otherwise just double-click on RogueKiller.exe
    • Pre-scan will start. Let it finish.
    • Click on SCAN button.
    • Wait until the Status box shows Scan Finished
    • Click on Delete.
    • Wait until the Status box shows Deleting Finished.
    • Click on Report and copy/paste the content of the Notepad into your next reply.
    • RKreport.txt could also be found on your desktop.
    • If more than one log is produced post all logs.
    • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

    [​IMG] Create new restore point before proceeding with the next step....
    How to: http://www.smartestcomputing.us.com/topic/63983-how-to-create-new-restore-point-all-windows/

    Download [img=[url]http://www.imgdumper.nl/uploads6/51a5f31352f71/51a5f31352b88-icon_MBAR.png][/url]Malwarebytes Anti-Rootkit to your desktop.
    • Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    • Double click on downloaded file. OK self extracting prompt.
    • MBAR will start. Click "Next" to continue.
    • Click in the following screen "Update" to obtain the latest malware definitions.
    • Once the update is complete select "Next" and click "Scan".
    • When the scan is finished and no malware has been found select "Exit".
    • If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    • Open the MBAR folder located on your Desktop and paste the content of the following files in your next reply:
      • "mbar-log-{date} (xx-xx-xx).txt"
      • "system-log.txt"
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...