
Tromador
-
Content Count
30 -
Joined
-
Last visited
-
Days Won
1
Posts posted by Tromador
-
-
Quick update - I've been quite ill over the weekend, so not been near the PC, so nothing to report, hopefully I'll be able to monitor better over the next couple of days.
-
-
Also I did NOT remove C:\Users\Tromador\AppData\Local\Google\Drive as this isn't part of Chrome and would ruin my drive sync!
-
1
-
-
11 minutes ago, kevinf80 said:
Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...
In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"For reference, this screen was somewhat different. (Chrome Version 85.0.4183.102 (Official Build) (64-bit))
It has a separate "manage what you sync" screen, rather than a "Sync Everything" checkbox.
To reach the review page, the correct button/link is entitled "Review your synced data"
I also manually removed the google update service and google update task user jobs.
I'll let you know if I get further detections.-
1
-
-
Yes, several on Wednesday, didn't use my PC yesterday and replying here is my first action for today, so I would probably expect some more today.
-
I'm afraid it doesn't say much:
QuoteFarbar Recovery Scan Tool (x64) Version: 16-09-2020
Ran by Tromador (18-09-2020 17:50:12)
Running from D:\Download
Boot Mode: Normal================== Search Registry: "fastsearch" ===========
====== End of Search ====== -
Sounds like you have the exact same issue as me. On the one hand it's nice to see the issue confirmed by another user, on the other, I'm sorry to hear you have this problem too.
It's also useful to hear your experience as further evidence to rule out the problem existing in other browsers.
Like you I've not deliberately installed any fastsearch software, nor have any appearing in my programs.
It might help the staff if you followed the instructions in this link and scan with autoruns as in the post from Keith above, just possibly they show something my logs don't. -
I've not yet seen this happen with Edge, though given the intermittent nature of the issue with Chrome it's hard to tell if that's conclusive.
I have also uninstalled and reinstalled Chrome, including deleting services and daily tasks, I'm not sure what your procedure is, but I'm fairly sure I cleaned it completely.
I'm attaching the autoruns log as requested. As far as I can tell it's not found anything untoward. -
Good question. I have no idea. Other than chrome I only have edge/ie installed, no idea if those would be a good metric or not. In any case, I'll run edge and let it sit in the background whilst I am doing other things. Bear in mind that with Chrome the issue is intermittent (nothing today for example) so please be patient for an update. I'll post in due course.
-
4 hours ago, kevinf80 said:
If the issue returns I will give instructions to make a clean install of Chrome, occasionally that is the only option that works....
The issue continues -
All we've tried is resyncing against cloud data which is generally used to stop a recurring detected problem, resyncing data which may be infected, isn't going to cure anything. Indeed, if I do a clean un/reinstall of chrome, it's possible that it will just download something back down from the cloud when I log my Google account back in. To be 100% sure, I'll need a procedure for cleaning my Google profile and also go through a stack of other devices to make sure they aren't storing that profile information either.
That said, is there no mileage in doing some digging, clearly something has infected Chrome, something which MB is unable to detect. A clean uninstall of Chrome might well cure the problem, but we learn nothing. What we have appears to be something new, would it not be helpful to MB in general if we found the problem. I don't feel entirely comfortable with leaving it for someone else to get infected via the same vector and something more serious than MB blocking its outbound. -
On 9/4/2020 at 12:31 AM, kevinf80 said:
Any progress..?
The problem went away for 24 hours (or I wasn't using chrome enough to notice) but was definitely happening again today. I've run the desync/resync procedure suggested and the subsequent scan was again negative. If the problem continues, I will post for further advice.
-
Thank you for the advice, I will try that next time I am at my PC.
I also would like to advise that I can download and open the attached logs on my android tablet no problem, though if the issues persists, I will copy/paste them in full - not ideal, but if needs must
-
MB is blocking multiple attempts by chrome to connect to fastsearch.me (and the occasional other sites). A threat scan doesn't show up any problems, but it does look like Chrome has something that shouldn't be there.
Please find attached a set of log files, any advice appreciated. -
MB is (correctly as far as I can see) continuously (every 20 mins or so) blocking access to fastsearch.me from chrome. In addition, there are odd instances of other sites, such as stat1.info and adultsonly.pro being blocked.
I've run a manual scan of my system and MB shows the machine as 100% clean.These two statements appear contradictory - either something has crawled inside chrome and is trying to outbound to these sites, or the machine is clean. I'm inclined to the former.
I've had a quick web search and can't find anything reliable about fixing this other than multitudinous sites trying to sell me their particular removal tools.Does anyone have some advice?
Malwarebytes
www.malwarebytes.com-Log Details-
Protection Event Date: 01/09/2020
Protection Event Time: 05:36
Log File: a8be39e8-ec0c-11ea-994e-2c4d54d3c481.json-Software Information-
Version: 4.2.0.82
Components Version: 1.0.1025
Update Package Version: 1.0.29291
Licence: Premium-System Information-
OS: Windows 10 (Build 18362.1016)
CPU: x64
File System: NTFS
User: System-Blocked Website Details-
Malicious Website: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Blocked, -1, -1, 0.0.0, ,-Website Data-
Category: PUP
Domain: fastsearch.me
IP Address: 212.83.190.17
Port: 80
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe(end)
-
Fair enough, thanks for the unblock.
-
My mistake, apparently I whitelisted it and then erased the event from my memory.
Nevertheless, has there actually been any malware served from that site, or is it (as browser guard suggests) just a suspicion?
If it definitely has been serving malware, it's a real shame as there are lots of high quality morrowind mods held only there and referenced in a number of guides so a definitive answer would help/inform that community. -
Other than being a russian site, is there any problem with https://www.fullrest.ru/ ? Browser guard takes offence to it every time, whilst MBAM web protection never so much as blinks.
It's just a games modding site, not even any horrible adverts.
-
MBAM Picked up the uninstaller for Signal for Desktop per the attached. Note there's also a registry key in there, I am assuming as it's a key for an uninstaller this is related to signal also?
-
I've twice now had browser guard pop up for
https://download.gimp.org/mirror/pub/gimp/v2.10/windows/gimp-2.10.20-setup-1.exeas linked from
https://www.gimp.org/downloads/
Definitely not a dangerous file. -
The website itself wasn't blocked, but I got a block action when I tried to download the software from their front page.
I can't give the exact url, as it's called from a script, but the relevant element reads:
<img class="downloadDiv undefined" onclick="window.location.href = 'FileSend.aspx?id=VoiceAttackInstaller.exe';" src="assets/images/downloadFlat.png" id="downloadIcon">
I was able to work around by telling MWB not to block this again. -
The following has a link to a repository of older versions, if it will help with training.
https://reshade.me/forum/general-discussion/294-reshade-repository
-
Following on from my post last week, another version of reshade has been released, 4.1.1 which now triggers the machine learning.
Again, see:
https://reshade.me/
https://reshade.me/forum/releases/5021-4-1
I don't know why your neural net has taken a dislike to reshade, but perhaps you could try to train it not to flag each version as it's released. -
Yup - these things happen. Thanks for the quick fix.
-
See the following:
https://reshade.me/https://reshade.me/forum/releases/5021-4-1
Previous version (4.0.2) does not trigger a detection.
Multiple blocks for chrome accessing fastsearch.me, threat scan negative
in Resolved Malware Removal Logs
Posted
Thanks for being patient for a reply.
So far so good, nothing has popped up. It's a shame we don't know what actually caused it, but a thorough cleaning appears to have fixed it. I suggest we close this topic as it stands, if necessary I'll request it to be reopened.