Solved can't remove player-chrome.exe popup downloads and codec update malware

Lugh

New Member
Thread author
Verified
May 7, 2014
18
April 30th, 2014. I've had a similar infection before and couldn't find a solution so I re-installed my OS, and less than a month later it's back. New tab pop-ups occur constantly in google chome. Some of them start automatic downloads of a file called "player-chrome.exe", and others tell me my codec needs updating.

I have tried many different free malware removal programs such as spybot search & destroy, malwarebytes, Hitman Pro (trial), CCleaner, Spyhunter, Junkware removal tool. Things were found in some of these, but none fixed the problem, and now none of them find any threats on my machine. Any help would be much appreciated. I don't want to re-install my OS all the time.
 

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Hi,



Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.


  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
 

Lugh

New Member
Thread author
Verified
May 7, 2014
18
Hi TwinHeadedEagle,
Thanks a ton for the help. I wasn't expecting a response so quickly. I will download and run the scanner as soon as I can, but I won't have a chance until late this afternoon. I will reply again once I have the log files you requested. Thanks again!
 

Lugh

New Member
Thread author
Verified
May 7, 2014
18
Hi again TwinHeadedEagle,
I ran the tool, and the two reports are attached.
 

Attachments

  • FRST.txt
    155.3 KB · Views: 151
  • Addition.txt
    30.7 KB · Views: 133

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Please download zoek.zip or zoek.rar by smeenk (
Zoek_icon.png
) from here or here and save it to your Desktop.
Unpack the archive...
  • Close any open browsers
  • Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.
  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...
  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

    Code:
    createsrpoint;
    emptyfolderscheck;delete
    autoclean;
    emptyclsid;
    emptyalltemp;
    ipconfig /flushdns;b
  • Click on
    Run%20Script%20by%20zoek.png
    button.
    Please wait until a logreport will open (this can be after reboot)
  • Save notepad to your Desktop and attach here zoek-results.log
    Note: It will also create a log in the C:\ directory named "zoek-results.log"



***** NEXT *****



Please download Malwarebytes AntiRootkit (MBAR) and save it to your desktop.
For full instructions how MBAR works, read this article

> Doubleclick on the MBAR file
mbar.png
and allow it to run.
• Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.
mbar.exe will launch automatically. On some systems, this may take a few extra seconds. Please be patient and wait for the program to open.
• After reading the Introduction, click Next if you agree.


• On the Update Database screen, click on the Update button. Once you see 'Success: Database was successfully updated' click on Next
• Under Scan Targets ensure all boxes are ticked. Then click the Scan button.

Notice: with some infections, you may see two messages boxes:
- 'Could not load protection driver'. Click 'OK'.
- 'Could not load DDA driver'. Click 'Yes' to this message, to allow the driver to load after a restart. Allow the computer to restart. Continue with the rest of these instructions.


>> If malware is not detected, click the Exit button to close the program and post the mbar-log-year-month-day.txt and system-log.txt reports.

>> If an infection/s are found ensure Create Restore Point are ticked. Then select the "Cleanup! button to remove threats.
• The clean up procedure will be scheduled for process, pop-up will be shown.
Select the Yes button and the system should re-boot to complete the cleaning process.

>> Notice: only if an RootKit are detected, ensure to run fixdamage.exe tool located in mbar folder, \Plugins\fixdamage.exe
- Run fixdamage.exe, at the black window to continue type Y (alias for Yes). Wait few seconds for execution ...
- When you see "press any key to exit" fix is completed, press any key to close the window. Reboot the system.



> The following reports will be created in mbar folder:
1. mbar-log-year-month-day (hour-minute-second).txt
2. system-log.txt

Please post both logs in your next reply.
 

Lugh

New Member
Thread author
Verified
May 7, 2014
18
Thanks again sir. I ran both tools, and the requested reports are attached. I'd like to add that the MBAR rootkit program found no infections, and I am still getting the pop-ups/automatic downloads.
 

Attachments

  • zoek-results.txt
    5.1 KB · Views: 76
  • mbar-log-2014-05-08 (05-28-08).txt
    2 KB · Views: 65
  • system-log.txt
    44 KB · Views: 93

Lugh

New Member
Thread author
Verified
May 7, 2014
18
That second FRST log is attached.
 

Attachments

  • FRST.txt
    156.9 KB · Views: 85

TwinHeadedEagle

Level 41
Verified
Mar 8, 2013
22,627
Download attached fixlist.txt on the same location as FRST (otherwise the fix won't work)
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Open FRST, and click Fix. Attach me that report after it is finished.
 

Attachments

  • fixlist.txt
    877 bytes · Views: 94

Lugh

New Member
Thread author
Verified
May 7, 2014
18
Attached is the Fixlog.txt. Is peerblock a problem? I noticed that listed in the fix.
 

Attachments

  • Fixlog.txt
    2.4 KB · Views: 84

Lugh

New Member
Thread author
Verified
May 7, 2014
18
It seems to be better, but I am currently not using my home network. This wouldn't be a network dependent issue, would it? Also, I just noticed something else. When I right click on my C drive to check the properties, windows explorer crashes every time. Any thoughts?
 

Lugh

New Member
Thread author
Verified
May 7, 2014
18
image of the message is attached
 

Attachments

  • windows explorer crash.jpg
    windows explorer crash.jpg
    74.4 KB · Views: 138

Lugh

New Member
Thread author
Verified
May 7, 2014
18
It returned the message "Windows Resource Protection did not find any integrity violations." The crash is still occurring however.
 

Lugh

New Member
Thread author
Verified
May 7, 2014
18
I just noticed it last night, but I'm not sure I've even tried to right-click the C drive since my OS re-install a couple weeks ago.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top