CHROMIUM Malware - What is it?

[Geek-9pm]

A Google search goes to web sites that want to give me even more malware.
IMO, any program that will not uninstall is likely malware -Am I right?

Anyway, here is a You Tube Video:
How To Fully Remove CHROMIUM Malware

This is a tutorial on how to completely remove the "Chromium" malware. This is not the only method, but I found this to be the most effective. ...

I did remove it, but hot that way! 

Question: Why did my AV program not find it?
(I am running Windows 10 pro 32 bit on my Dell 755.)

[SuperDave]

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer. 

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************

IMO, any program that will not uninstall is likely malware -Am I right?

That's one good indication but not always.

Question: Why did my AV program not find it?

Because it is not a virus. It is malware.

Please download AdwareCleaner onto your Desktop. AdwCleaner

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Download and install: Please download Malwarebytes' scanner to your desktop.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)

*************************************************
Download Security Check by screen317 from the following link and save it to your desktop.

Security Check

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[Geek-9pm]

Wow! Van not believe how much stuff there was!   
Reports:
Ad Cleaner: +++++++++++++++
# -------------------------------
# Malwarebytes AdwCleaner 7.3.0.0
# -------------------------------
# Build:    04-04-2019
# Database: 2019-04-05.4 (Cloud)
# Support:  https://www.malwarebytes.com/support
#
# -------------------------------
# Mode: Clean
# -------------------------------
# Start:    04-07-2019
# Duration: 00:00:09
# OS:       Windows 10 Pro
# Cleaned:  31
# Failed:   2


***** [ Services ] *****

No malicious services cleaned.

***** [ Folders ] *****

Deleted       C:\Program Files\Reimage
Deleted       C:\ProgramData\Microsoft\Windows\Start Menu\Programs\reimage repair
Deleted       C:\ProgramData\Reimage Protector
Deleted       C:\Windows\System32\config\systemprofile\AppData\Local\WebDiscoverBrowser
Deleted       C:\rei

***** [ Files ] *****

Deleted       C:\Users\geek9\AppData\Roaming\Mozilla\Firefox\Profiles\i8sbflim.default\searchplugins\avg-secure-search.xml
Deleted       C:\Windows\Reimage.ini
Deleted       C:\Windows\Temp\reimage.log

***** [ DLL ] *****

No malicious DLLs cleaned.

***** [ WMI ] *****

No malicious WMI cleaned.

***** [ Shortcuts ] *****

No malicious shortcuts cleaned.

***** [ Tasks ] *****

No malicious tasks cleaned.

***** [ Registry ] *****

Deleted       HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Deleted       HKCU\Software\PRODUCTSETUP
Deleted       HKCU\Software\ProductSetup\Uninstall\0B2U2Z1P0F1P1G1R1P1V0A1Q1Q0O1G
Deleted       HKCU\Software\ProductSetup\Uninstall\0S1P1T1C1R1MtT0P1C1F2X1L1Q1P1QtT1S2UtT0Y1T1M1F1F
Deleted       HKCU\Software\Reimage
Deleted       HKCU\Software\WebDiscoverBrowser
Deleted       HKLM\SOFTWARE\Classes\AppID\REI_AxControl.DLL
Deleted       HKLM\Software\Classes\AppID\{28FF42B8-A0DA-4BE5-9B81-E26DD59B350A}
Deleted       HKLM\Software\Classes\CLSID\{10ECCE17-29B5-4880-A8F5-EAD298611484}
Deleted       HKLM\Software\Classes\CLSID\{801B440B-1EE3-49B0-B05D-2AB076D4E8CB}
Deleted       HKLM\Software\Classes\Interface\{9BB31AD8-5DB2-459E-A901-DEA536F23BA4}
Deleted       HKLM\Software\Classes\Interface\{BD51A48E-EB5F-4454-8774-EF962DF64546}
Deleted       HKLM\Software\Classes\REI_AxControl.ReiEngine
Deleted       HKLM\Software\Classes\REI_AxControl.ReiEngine.1
Deleted       HKLM\Software\Classes\TypeLib\{FA6468D2-FAA4-4951-A53B-2A5CF9CC0A36}
Deleted       HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run|Codec Settings UAC Manager
Deleted       HKLM\Software\Microsoft\Windows\CurrentVersion\Run|Codec Settings UAC Manager
Deleted       HKLM\Software\Reimage
Deleted       HKLM\Software\WebDiscoverBrowser
Deleted       HKU\.DEFAULT\Software\WebDiscoverBrowser
Deleted       HKU\S-1-5-18\Software\WebDiscoverBrowser

***** [ Chromium (and derivatives) ] *****

No malicious Chromium entries cleaned.

***** [ Chromium URLs ] *****

No malicious Chromium URLs cleaned.

***** [ Firefox (and derivatives) ] *****

No malicious Firefox entries cleaned.

***** [ Firefox URLs ] *****

Deleted       https://mysearch.avg.com/?rvt=1&pid=bcu
Deleted       https://mysearch.avg.com/?rvt=1&pid=bcu
Not Deleted   webtuneup.avg.com
Not Deleted   webtuneup.avg.com


*************************

• Delete Tracing Keys
• Reset Winsock

*************************

AdwCleaner[S00].txt - [1569 octets] - [07/03/2019 12:07:14]
AdwCleaner[C00].txt - [1661 octets] - [07/03/2019 12:09:32]
AdwCleaner[S01].txt - [4021 octets] - [07/04/2019 12:05:12]

########## EOF - C:\AdwCleaner\Logs\AdwCleaner[C01].txt ##########

Malwarebyres: ========================
Malwarebytes
www.malwarebytes.com

-Log Details-
Scan Date: 4/7/19
Scan Time: 12:22 PM
Log File: 8aa0a846-596a-11e9-9a9c-00219b6a717e.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.563
Update Package Version: 1.0.10038
License: Expired

-System Information-
OS: Windows 10 (Build 18356.1)
CPU: x86
File System: NTFS
User: DESKTOP-T35LOPR\geek9

-Scan Summary-
Scan Type: Threat Scan
Scan Initiated By: Manual
Result: Completed
Objects Scanned: 181231
Threats Detected: 15
Threats Quarantined: 15
Time Elapsed: 3 min, 15 sec

-Scan Options-
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Detect
PUM: Detect

-Scan Details-
Process: 0
(No malicious items detected)

Module: 0
(No malicious items detected)

Registry Key: 4
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\NAHHMPBCKPGDIDFNMFKFGIFLPJIJILCE, Quarantined, [2063], [440037],1.0.10038
PUP.Optional.SearchManager, HKU\S-1-5-21-1999882772-3128741223-438591315-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\nahhmpbckpgdidfnmfkfgiflpjijilce, Quarantined, [2063], [440037],1.0.10038
PUP.Optional.SearchManager, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PILPLLOABDEDFMIALNFCHJOMJMPJCOEJ, Quarantined, [2063], [183362],1.0.10038
PUP.Optional.SearchManager, HKU\S-1-5-21-1999882772-3128741223-438591315-1001\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pilplloabdedfmialnfchjomjmpjcoej, Quarantined, [2063], [183362],1.0.10038

Registry Value: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Data Stream: 0
(No malicious items detected)

Folder: 2
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\Results, Quarantined, [340], [651074],1.0.10038
PUP.Optional.Reimage, C:\PROGRAMDATA\REIMAGEREPAIR, Quarantined, [340], [651074],1.0.10038

File: 9
PUP.Optional.SearchManager, C:\USERS\GEEK9\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\chrome-extension_pilplloabdedfmialnfchjomjmpjcoej_0.localstorage, Quarantined, [2063], [453138],1.0.10038
PUP.Optional.SearchModule, C:\USERS\GEEK9\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\LOCAL STORAGE\chrome-extension_nahhmpbckpgdidfnmfkfgiflpjijilce_0.localstorage, Quarantined, [275], [453492],1.0.10038
PUP.Optional.SearchManager, C:\USERS\GEEK9\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\Default\Preferences, Replaced, [2063], [183362],1.0.10038
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\Results\ProtectorPackage.log, Quarantined, [340], [651074],1.0.10038
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\active_protection.txt, Quarantined, [340], [651074],1.0.10038
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\cfl.rei, Quarantined, [340], [651074],1.0.10038
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\scan_agent_result_log.txt, Quarantined, [340], [651074],1.0.10038
PUP.Optional.Reimage, C:\ProgramData\ReimageRepair\url_setting_definitions.txt, Quarantined, [340], [651074],1.0.10038
PUP.Optional.WinYahoo.Generic, C:\USERS\GEEK9\APPDATA\ROAMING\MOZILLA\FIREFOX\PROFILES\I8SBFLIM.DEFAULT\SEARCHPLUGINS\SADARAMA.XML, Quarantined, [223], [643052],1.0.10038

Physical Sector: 0
(No malicious items detected)

WMI: 0
(No malicious items detected)


(end)
Security Check --------------------------
 Results of screen317's Security Check version 1.014 --- 12/23/15 
   x86 (UAC is enabled) 
 Internet Explorer 11 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Firewall Enabled! 
Windows Defender   
AVG Antivirus     
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````[/u]
 Adobe Flash Player    32.0.0.156 
 Mozilla Firefox (66.0.2)
 Google Chrome (73.0.3683.86)
 Google Chrome (SetupMetrics...)
````````Process Check: objlist.exe by Laurent````````[/u] 
 Malwarebytes Anti-Malware mbamservice.exe 
 AVG Antivirus AVGSvc.exe 
 AVG Antivirus aswidsagent.exe 
 AVG Antivirus AVGUI.exe 
 Malwarebytes Anti-Malware mbamtray.exe 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:  %
````````````````````End of Log``````````````````````[/u]

That's all  ;D

[SuperDave]

The Security log show you have two AV's active on your computer. Windows Defender is the resident AV that comes with Windows 10. I would advise you to uninstall AVG. It is not needed. You should only have one AV active on your computer at any time.

ESET Online Scanner
Note : If you use Internet Explorer to get the ESET Online Scanner, you won't have to download, nor install the tool, as everything will be ran in a contextual (pop-up) window of Internet Explorer. However, for every other browsers, you will have to download and install ESET Online Scanner. In this set of instruction, I'll use Google Chrome to download it and run it (since a lot of people will do it), however, except for the download and installation procedure, the same instructions applies if you use Internet Explorer. Please note that two or three prompts will appear if you use Internet Explorer asking you to reload the page, authorize the application, execute it, etc. Accept all of them in order to run ESET Online Scanner.

    Download and execute ESET OnlineScan (on this window, click on ESET Smart Installer to trigger the download). People accessing this URL via Internet Explorer will start the integration process of ESET Online Scanner in their browser;
    Once the installation is done (it requires Admin Rights), check the following settings (two of them are under Advanced Settings, click on it to display them) :

        Enable detection of potentially unwanted applications;
        Scan archives;
        Scan for potentially unsafe applications;
        Optional : If you want to scan more drives, click on Change... and select the drives you want to include in the scan;

   

    After you're done checking these options, click on Start and ESET Online Scanner will download it's virus signature database before starting the scan;
   

    Once done, the scan will start automatically. Detections will appear at the bottom of the window. ESET Online Scanner can have an extremely long scan time that can last between 2 or 3 hours. So if you start the scan, do not interrupt it, let it complete until the end;
   

    After the scan is finished, a summary window will appear to give you the information about the scan. Then you'll have to the option to see what threads were found and to manage the threats that were quarantined;
   


    Click on List of found threats, it'll display every threat identified during that scan, their type and what action was taken against them. Click on Copy to clipboard to copy these results on our clipboard and post them in your next reply;
   


    Once you're done, click on the Back button;
    Check both checkboxes at the bottom: Uninstall application on close and Delete quarantined files before clicking on the Finish button;