IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> Something is trying to install/run "Google.exe". Help with cleaning my system, please?, virus/malware removal
SpokaneTim
post 28.09.2008 01:13
Post #1


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hi,

I recently installed WinPatrol, in addition to KIS 2009 because I suspected that my system had problems and wanted the extra help. Winpatrol spotted that "google.exe" was trying to install itself in my startup folder. I investigated and everywhere I look, I see that "google.exe" is malware/spyware. It has been repeatedly trying to reinstall itself, but winpatrol has been catching it and killing it. I followed winpatrol's instructions to try to isolate the hidden program actually trying to install google.exe, but so far no luck.

I would like to clean my system (and backups) of the hidden malware trying to rip me off.

Thank you in advance for your assistance!

Tim
Go to the top of the page
 
+Quote Post
Lucian Bara
post 28.09.2008 01:15
Post #2


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
does i say where google.exe is?
post an AVZ log too: http://forum.kaspersky.com/index.php?showtopic=69276
Go to the top of the page
 
+Quote Post
SpokaneTim
post 28.09.2008 01:27
Post #3


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




That reply was fast! I didn't expect to see anything until tonight. Unfortunately, I have to be somewhere in 20 minutes, so I may not be able to go through a full procedure at this time. Darn!

Here is the completed AVZ report.

But I will get back as soon as I am able!

Tim
Attached File(s)
Attached File  sysinfo.zip ( 15.81K ) Number of downloads: 5
 
Go to the top of the page
 
+Quote Post
SpokaneTim
post 28.09.2008 01:35
Post #4


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




QUOTE(SpokaneTim @ 28.09.2008 00:27) *
That reply was fast! I didn't expect to see anything until tonight. Unfortunately, I have to be somewhere in 20 minutes, so I may not be able to go through a full procedure at this time. Darn!

Here is the completed AVZ report.

But I will get back as soon as I am able!

Tim

P.S.: I don't know if the answer to your question "where the "google.exe" was found" was answered by the AVZ report, or not. I didn't write down the path name reported by WinPatrol, but I think it was in a system file. If I get another notice from WinPatrol, I will write it down next time.

Go to the top of the page
 
+Quote Post
Lucian Bara
post 28.09.2008 01:42
Post #5


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




no google.exe in the report.....
doesn't winpatrol give you a full path to the file?
also, when you get back post a combofix log:

Download it here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Before saving it, please rename it to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (if still active) until after the scanning and removal process has taken place.

Pease double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the combofix window or attempt to use your computer as this can cause the scanning process to stall. It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt , please attach it to your next post
Go to the top of the page
 
+Quote Post
SpokaneTim
post 28.09.2008 04:32
Post #6


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




I ran the Combo Fix program as instructed and have attached the log.

Previously, you said that google.exe didn't show up in the earlier scan. Just to let you know: every time WinPatrol gave me the option of allwing google.exe to be placed in the start program file, or not, I chose not. So I guess WinPatrol deleted the program (at that point in the process). I really am not very familiar with WinPatrol. I just installed it.

I will be monitoring this thread. I am looking forward to your next instruction.

Thanks,
Tim

Attached File(s)
Attached File  ComboFixlog.txt ( 16.74K ) Number of downloads: 6
 
Go to the top of the page
 
+Quote Post
dawgg
post 28.09.2008 13:31
Post #7


Forum Elite
**************

Group: Moderators
Posts: 9299
Joined: 6.04.2006
From: London




Try to uninstall Google Desktop Manager - located in C:\Program Files\Google\Google Desktop Search
Uninstall it from Add/Remove in Control Panel
Go to the top of the page
 
+Quote Post
SpokaneTim
post 29.09.2008 08:59
Post #8


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hi,

As requested, I tried to uninstall Google desktop from the Add/Remove Programs utility in the Control Panel. As the removal process executed, it gave me the message that Explorer was going to need to shut down as part of the removal process. Then the computer shut down completely and rebooted. When the system came back up, I checked Add/Remove Programs, and Google desktop was still there, still installed. mad.gif

So then I opened CCleaner, and used the Tools program to uninstall Google desktop. This time it worked. I then booted into safe mode, used Registry Mechanic to clean any left over files or registry keys, and ran a full scan (Security level: High) hoping it would find something on my system, but it did not. dry.gif

A number of questions:
1.) Was it a mistake to uninstall Google desktop with CCleaner? (After the Add/Remove Programs utility in the Control Panel didn't work?)
2.) I really like the Google desktop search utility. Do you think I can reinstall it safely? Any suggestions to prevent re-infection of the utility with malware?
3.) I am guessing that the original infecting malware on my system is still there hiding, waiting for an opportunity to reinfect me with more malware. It tried 3 times, but each time WinPatrol caught it and I was able to prevent installation of Google.exe in my startup programs. WinPatrol let me know that after the third attempt it would automatically block any future attempt of Google.exe to install itself on my system (without asking me). I am guessing that's why I am not seeing any more installation attempts.
4.) Does KIS 2009 monitor attempts by programs to install things in my startup folder? And other suspicious activities, like WinPatrol is doing? Perhaps I need to configure my KIS 2009 in some special way to allow the program to catch these attempts to compromise my system. Any suggestions?

Thanks for your help! Your Google desktop removal suggestion appears to have been right-on! bravo.gif

Tim
Go to the top of the page
 
+Quote Post
SpokaneTim
post 30.09.2008 02:55
Post #9


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hi,

I haven't heard back from you guys, so I just wanted to update my support request with the questions I asked at the end of my last email:

1.) Was it a mistake to uninstall Google desktop with CCleaner? (After the Add/Remove Programs utility in the Control Panel didn't work?)
2.) I really like the Google desktop search utility. Do you think I can reinstall it safely? Any suggestions to prevent re-infection of the utility with malware?
3.) I am guessing that the original infecting malware on my system is still there hiding, waiting for an opportunity to reinfect me with more malware. It tried 3 times, but each time WinPatrol caught it and I was able to prevent installation of Google.exe in my startup programs. WinPatrol let me know that after the third attempt it would automatically block any future attempt of Google.exe to install itself on my system (without asking me). I am guessing that's why I am not seeing any more installation attempts.
4.) Does KIS 2009 monitor attempts by programs to install things in my startup folder? And other suspicious activities, like WinPatrol is doing? Perhaps I need to configure my KIS 2009 in some special way to allow the program to catch these attempts to compromise my system. Any suggestions?

I thanked you for your Google desktop removal suggestion in my last email, but of course, just because that app seemed to be infected with malware (based upon my difficulty removing it), it may not be the only app infected.

Thanks,

Tim
[/quote]
Go to the top of the page
 
+Quote Post
dawgg
post 1.10.2008 01:19
Post #10


Forum Elite
**************

Group: Moderators
Posts: 9299
Joined: 6.04.2006
From: London




Hello Tim. Apologies for late reply, I don't get the opportunity to come on here daily, but try my best to make time to come on.

1) No, it wasnt a mistake to uninstall using CCleaner smile.gif
2) it may not be an infection. Its more likley to be a bug/issue/corruption with the program or files of the program if it the google.exe problem stopped after uninstalling Google Desktop. If the problem did stop after uninstalling Google Desktop, install it again. The problem may have occurred because of PC cleanup utilities - some have "High" and "Medium (recommend)" cleaning options. This is because "High" sometimes deletes things it shouldn't - which is why its not "recommend"
3) See if you can override WinPatrol so it will let you know if google.exe continues to add itself to startup... Do this while Google Desktop is uninstalled.
4) Kaspersky does monitor startup registry entries (not sure about startup folder), but Trusted applications are not monitored - if a program which is "Trusted" attempts to create a registry entry, it will be able to with no notification.
Kaspersky will prompt you for non-trusted applications.
If you want to be prompted for all applications (Trusted and Non-Trusted), go into ApplicationFilter settings, click "Trusted", click "Edit" (bottom-left)>Rules>FileAndSystemRegistry... Right-click the "Write", "Delete" and "Create" columns in the "Operating System" row individually and select "Prompt for Action".


As I mentioned, I would have put my money on the GoogleDesktop removal troubles being aggressive PC cleaners or an error in the software.
Post a link to your PC's GSI Parser so we can have a more in-depth analysis of your computer. Instructions shown here
Go to the top of the page
 
+Quote Post
SpokaneTim
post 1.10.2008 20:59
Post #11


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Thanks Dawgg for getting back to me!

I didn't mean to be impatient. I think that this possible malware/virus infection problem just has me stressed out.

I downloaded the GSI Parser, and ran it. This is the URL that the program returned to me after I uploaded the completed report: http://gsi.kaspersky.fr/lire.php?hl=en&...mp;Microsoft=0#

I looked over the report, particularly the suspicious drivers and registry values. I really don't see much that could have been responsible for the repeated attempts to install "google.exe", but I am a relative newbie in these matters.

I am not sure what the next step is.

Thank you again for this help!

Tim
Go to the top of the page
 
+Quote Post
SpokaneTim
post 2.10.2008 23:41
Post #12


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hi guys,

I am starting to study my system for rogue services, ative tasks, etc. I found a IE Helper extension called "web traffic protection statistics". It is not officially associated with a program and is unsigned. I tried to google it, but no luck. Do you recommend that I disable it?

Thanks,
Tim

This post has been edited by SpokaneTim: 2.10.2008 23:51
Go to the top of the page
 
+Quote Post
Lucian Bara
post 2.10.2008 23:45
Post #13


Are You Kidding?
*****************

Group: Gold beta testers
Posts: 56947
Joined: 28.01.2006
From: Timisoara, Romania




hello
that should belong to kaspersky, could you double check it?
Go to the top of the page
 
+Quote Post
dawgg
post 3.10.2008 01:38
Post #14


Forum Elite
**************

Group: Moderators
Posts: 9299
Joined: 6.04.2006
From: London




Please compress and PM me c:\windows\hkntdll.dll (if it exists)

Other Google software you have on your PC *may* also be potential culprits, again, unlikely from an infection, probably corruption.
Go to the top of the page
 
+Quote Post
SpokaneTim
post 5.10.2008 00:31
Post #15


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hello Dawgg,

I don't know what "PM" means. I did find hkntdll.dll, but on my system it was HKNTDLL.dll. I don't know if that makes any difference, but often it does. I compressed the file with Zipgenius, and uploaded it with this response.

I had no reason to suspect that I would have any problems with my computer, but I run a full scan in Safe Mode every night, and it found "virus Worm.Win32.AutoRun.pze" in 6 different places on my computer and disinfected or deleted them.

When I restarted my system from Safe Mode, I continually received the message that an APC dll file was missing. I guess the program was trying to autostart, and so I got 10 or 15 repeats of the message. Decided to uninstall and reinstall the program with Windows Add/Remove Programs (UPS backup power management program), but the program won't uninstall. So I then tried CCleaner, but that doesn't work either. So I currently have a program that I can't uninstall.

So:
What did you mean by "PM"?
Any suggestions on how to get APC to uninstall? (I checked the processes list and couldn't find an active process for APC. I also turned off any occurrence of Google software running on my system, but the APC program still wouldn't uninstall.

Thanks,
Tim

Attached File(s)
Attached File  HKNTDLL.zip ( 1.55K ) Number of downloads: 5
 
Go to the top of the page
 
+Quote Post
dawgg
post 5.10.2008 01:02
Post #16


Forum Elite
**************

Group: Moderators
Posts: 9299
Joined: 6.04.2006
From: London




"PM" = Private Message (done by going into my profile and clicking "send message")

Where was the worm found? its likely it came from an infected USB. Where were the detected items located in?
Do you get the message in normal startup or only in safe mode?

This post has been edited by dawgg: 5.10.2008 01:03
Go to the top of the page
 
+Quote Post
SpokaneTim
post 5.10.2008 03:29
Post #17


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




Hi Dawgg,


"PM" = Private Message (done by going into my profile and clicking "send message")

Thanks for explaining the "PM" abbreviation. I don't spend any time texting people, and am unfamiliar with almost all abbreviations that I guess are commonplace in chat rooms, etc.


Where was the worm found? its likely it came from an infected USB. Where were the detected items located in?
Do you get the message in normal startup or only in safe mode?

I have attached the saved file for my recent scan. I run a full scan in safe mode every night. I have found that for some unknown reason the scan hangs if I run it in Normal Mode. After 4 or 5 times of coming back to it in the morning and finding that only 1% of the scan completed, I never run it except in Safe Mode now.

I also attached a scan list for the last 6 or 7 scans that includes my recent scan.

I have my business files stored on a backup external drive. Unfortunately, I have some sort of wicked malware infestation that I can't root out. I run KIS 2009 in Safe Mode, set at the highest scan levels, and scan all the drives including the external drive, and it comes back clean. But then the next day I find these 5 worms.

I'm not blaming Kaspersky. KIS 2009 is an outstanding product. I just don't think I am using all its features effectively to isolate the file manufacturing these problems.

My understanding of malware is pretty basic. I am guessing that there is a file or infected files that pretends to be a standard file but actually uses its standard execution rights to download malware to my system, right? I scan the whole system just about every night, so if "Worm.Win32.AutoRun.pze" had already been on my system, KIS 2009 would have found it, right?

I didn't want to have to spend my time and energy learning all aspects of my computer to weed out the malware executing unwanted commands on my computer, but if that's what I have to do to get a clean system, then I will.

I appreciate your opinion of my next best step in this process of cleaning my computer.

Tim
Attached File(s)
Attached File  10.04.08_kaspersky_scan.txt ( 1.11K ) Number of downloads: 1
Attached File  kaspersky_scan.txt ( 3.38K ) Number of downloads: 4
 
Go to the top of the page
 
+Quote Post
dawgg
post 5.10.2008 22:16
Post #18


Forum Elite
**************

Group: Moderators
Posts: 9299
Joined: 6.04.2006
From: London




Please pause Kaspersky, click "detected" and find "disinfected files" in the dropdown list.
Right click C:\Documents and Settings\Owner\Desktop\Installation executables\JkDefragGUI102.zip/JkDefragGUI.exe and click Restore>OK.
Open "Installation executables" folder on your desktop, right click it and scan it. Is anything detected?
If yes, submit it to Kaspersky's VirusLab and report it as a FalsePositive, instructions shown here
If nothing is detected, restore all the other Worm.Win32.AutoRun.pze items to the location they were detected in.


Do your normal-mode scans freeze on any files in particular? - which?
Go to the top of the page
 
+Quote Post
SpokaneTim
post 6.10.2008 05:15
Post #19


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




I followed your instructions as listed. Nothing was found in JkDefragGUI.exe after I restored the file, so I restored all files.

I'm surprised at this result. Thanks for the help on this.

I haven't kept records of where the normal mode scan stops. I will next time I run it in normal mode.

Tim

P.S.: Thanks again for the help!

Go to the top of the page
 
+Quote Post
SpokaneTim
post 7.10.2008 23:02
Post #20


Member
**

Group: Members
Posts: 36
Joined: 23.07.2008
From: Spokane, WA




I ran my nightly scan in Safe Mode last night, and I woke up to the system scan message: "The task was stopped". I looked around for some further information, but couldn't find any.

Of course, I always think its kind of ominous that a scan in safe mode could somehow be stopped.

Any suggestions on diagnosing this event? And what do you recommend I do on my next scan?

Thanks!
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 31.07.2014 03:16