have I been hacked on Chrome browser?

sdowney717 · 13 Feb 2014

well adwarecleaner seemed to find nothing

maybe if I never reboot, pc will stay fast and happy?

# AdwCleaner v3.018 - Report created 13/02/2014 at 16:29:12
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Tricia - TRICIA-PC
# Running from : C:\Users\Tricia\Downloads\AdwCleaner (1).exe
# Option : Scan
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Found C:\ProgramData\ParetoLogic
***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Found : HKCU\Software\ParetoLogic
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Found : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Found : HKLM\Software\ParetoLogic
Key Found : HKLM\Software\PIP
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v27.0 (en-US)
[ File : C:\Users\Tricia\AppData\Roaming\Mozilla\Firefox\Profiles\7qf6qhde.default\prefs.js ]

-\\ Google Chrome v32.0.1700.107
[ File : C:\Users\Tricia\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************
AdwCleaner[R0].txt - [1041 octets] - [13/02/2014 16:29:12]
########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1101 octets] ##########

sdowney717 · 13 Feb 2014

jrt.exe is always reporting a bad module.
but it never clears it, and I am running the program as administrator

sdowney717 · 13 Feb 2014

your right the adware log shows entries.
The gui did not show anything that I noticed.

jrt log

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.1 (02.04.2014:1)
OS: Windows 7 Ultimate x86
Ran by Tricia on Thu 02/13/2014 at 16:43:05.89
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 02/13/2014 at 16:53:58.75
Computer was rebooted
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~

Well so far everything is nice and speedy even after the jrt reboot.

I am really wondering if Chrome is doing something to the PC. I am not going to run chrome for awhile and see what happens.

ShamrockRig · 13 Feb 2014

Please download Rkill by Grinler from one of the links below and save it to your desktop.

Link 1
Link 2

On Windows XP double-click on the Rkill desktop icon to run the tool.
On Windows Vista/Windows 7 or 8, right-click on the Rkill desktop icon and select Run As Administrator
A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
If not, delete the file, then download and use the one provided in Link 2.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
If the tool does not run from any of the links provided, please let me know.
Do not reboot the computer, you will need to run the application again.

Run this and then run Adwcleaner and JRT again as well as this:

Please download RogueKiller and save it to your desktop.

You can check here if you're not sure if your computer is 32-bit or 64-bit

RogueKiller 32-bit | RogueKiller 64-bit
Quit all running programs.
For Windows XP, double-click to start.
For Vista,Windows 7/8, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
Read and accept the EULA (End User Licene Agreement)
Click Scan to scan the system.
When the scan completes Close the program > Don't Fix anything!
Don't run any other options, they're not all bad!!
Post back the report which should be located on your desktop.

sdowney717 · 13 Feb 2014

ok, here is rkill log
will keep reporting on the further instructions.
so far IE11 been zippy fast.

Rkill 2.6.5 by Lawrence Abrams (Grinler)
Bleeping Computer - Technical Support and Computer Help
Copyright 2008-2014 BleepingComputer.com
More Information about Rkill can be found at this link:
RKill - What it does and What it Doesn't - A brief introduction to the program - Anti-Virus and Anti-Malware Software
Program started at: 02/13/2014 05:18:27 PM in x86 mode.
Windows Version: Windows 7 Ultimate Service Pack 1
Checking for Windows services to stop:
* No malware services found to stop.
Checking for processes to terminate:
* No malware processes found to kill.
Checking Registry for malware related settings:
* No issues found in the Registry.
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
Performing miscellaneous checks:
* No issues found.
Checking Windows Service Integrity:
* No issues found.
Searching for Missing Digital Signatures:
* C:\Windows\System32\user32.dll : 811,520 : 01/15/2013 04:24 PM : 7bd7f45ff37fa0669cd32ca0ef46e22c [NoSig]
+-> C:\Windows\winsxs\x86_microsoft-windows-user32_31bf3856ad364e35_6.1.7601.17514_none_cf3fd62ccb9e983d\user32.dll : 811,520 : 11/20/2010 04:29 PM : f1dd3acaee5e6b4bbc69bc6df75cef66 [Pos Repl]
Checking HOSTS File:
* HOSTS file entries found:
127.0.0.1 localhost
Program finished at: 02/13/2014 05:19:23 PM
Execution time: 0 hours(s), 0 minute(s), and 56 seconds(s)

shellcode · 13 Feb 2014

The fact that you are essentially getting infected by the same malware suggests a persistence method has been established on your computer, or you are repeating the same behavior that caused the initial infection. I am not going to write the textbook worth of techniques that can accomplish persistence, but I would suggest resetting chrome after you remove the malware again. Take note of what you have installed to Chrome, prior to doing this. Also confirm that Chrome does not have a proxy enabled.

So run the tools described, already. In addition I would suggest running the free version of MBAM. After completing these tasks, reset Chrome. Please report back findings.

ShamrockRig · 13 Feb 2014

Rkill Stops malware from running and interfering with your scan results etc so it can be very useful.

sdowney717 · 13 Feb 2014

Thanks, how to reset chrome?
uninstall reinstall will work?

adwarecleaner log

# AdwCleaner v3.018 - Report created 13/02/2014 at 17:26:01
# Updated 28/01/2014 by Xplode
# Operating System : Windows 7 Ultimate Service Pack 1 (32 bits)
# Username : Tricia - TRICIA-PC
# Running from : C:\Users\Tricia\Downloads\AdwCleaner (1).exe
# Option : Clean
***** [ Services ] *****

***** [ Files / Folders ] *****
Folder Deleted : C:\ProgramData\ParetoLogic
***** [ Shortcuts ] *****

***** [ Registry ] *****
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\ApnSetup_RASMANCS
Key Deleted : HKCU\Software\ParetoLogic
Key Deleted : HKLM\Software\ParetoLogic
Key Deleted : HKLM\Software\PIP
***** [ Browsers ] *****
-\\ Internet Explorer v11.0.9600.16428

-\\ Mozilla Firefox v27.0 (en-US)
[ File : C:\Users\Tricia\AppData\Roaming\Mozilla\Firefox\Profiles\7qf6qhde.default\prefs.js ]

-\\ Google Chrome v32.0.1700.107
[ File : C:\Users\Tricia\AppData\Local\Google\Chrome\User Data\Default\preferences ]

*************************
AdwCleaner[R0].txt - [1181 octets] - [13/02/2014 16:29:12]
AdwCleaner[R1].txt - [1241 octets] - [13/02/2014 17:22:13]
AdwCleaner[S0].txt - [1176 octets] - [13/02/2014 17:26:01]
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1236 octets] ##########

shellcode · 13 Feb 2014

Links embedded in previous post.

Check Proxy:
https://support.google.com/chrome/answer/96815?hl=en

Reset Chrome:
https://support.google.com/chrome/answer/3296214?hl=en

MBAM:
Malwarebytes : Thank you for download Malwarebytes Anti-Malware

ShamrockRig · 13 Feb 2014

A quick reinstall should work fine, Adwcleaner keeps reporting the same few entries as deleted but they clearly aren't if they re-appear, just waiting on the RogueKiller Log.