Jump to content

Chrome intrusion, not sure if malware or an intruder


Echoes

Recommended Posts

Hello,

 

I posted this question in Google's group forums and in Tom's Hardware forums and haven't been able to get any answers or even theories.

 

My problem is this: last friday at sometime between 1am and 2am EST I was browsing the internet using Google Chrome on Windows 7 when suddenly Chrome started acting erratically. Pages were going back and forth, an image slideshow I was browsing would scroll backwards after I scrolled it forwards. I then closed the browser and reopened it thinking it was some kind of bug with Chrome. When I reopened the browser I clicked in the omnibox to get to a site I wanted to browse and as soon as I hit a key a bunch of seemingly random characters appeared followed by white space and the words "Dire EMM" or "Dire Emm" I can't recall. Again I closed the browser and reopened it, but this time opening my history. I wanted to search my history to see if I had searched dire emm at some point in the past. Just as I did I got a string of forward slashes followed by a white space and "W M Light" at this point I yanked out my ethernet cable. When the gibberish became words or a name I thought I was being hacked and controlled. Although I never fully lost control, only seemed to fight for it but as far as I can remember never lost control of my mouse. At the time the machine used Windows Firewall and Microsoft Security Essentials as it's primary anti-malware/ anti-virus solution. I had Malwarebytes installed but the pro trial had expired.

 

After all that I pulled out my backup macbook pro and downloaded the latest malwarebytes and super anti-spyware. I installed those and ran them both along with Microsoft Security Essentials in full scan mode which took till like 5am. Malwarebytes found 3 objects but according to google searches they were false positives. Like an idiot I just deleted them thinking "just to be safe" instead of taking note of what they were. After that I ran all three programs again in full scan. All three reported back that the PC was now clean. I also went and disabled every service related to remote desktop in Windows 7, the nerve wracking bit about this part is I swear I did this years ago when I bought the machine. I also uninstalled (but kept browsing data) and reinstalled Chrome. Also just to be safe I changed my passwords on my macbook.

 

The day after that made it seem like everything was fine, Chrome worked flawlessly the games I chose to play likewise. Everything seemed clear, but then again at around 1:30am EST while browsing some reference material in Chrome (I'm an art student) it started to act weird. Pages were going back and forth, Chrome entered and exited full screen a few times and when I opened up a new tab it "clicked" the link I was hovering over despite me not having clicked. Then when I clicked in the omnibox I got a string of forward slashes "/" followed by a white space and "W M Light". Again I freaked out and pulled the ethernet cable. After I calmed down I uninstalled Chrome and plugged back in just long enough to update all my anti-virus and anti-malware programs. I then ran everything again, again it all came up clean.

 

The confusing bit is this weirdness only seem to happen in Chrome (but I can't be sure, might have happened when I was away from the PC) and both times between 1 am and 2am. All my games and Photoshop seem to function normally. My internet didn't seem unusually slow neither did the PC in general.

 

So I've decided to take my PC to the store where I bought it, I'm buying a new hybrid drive and wiping the old drive. The new drive will house Windows and the old drive will act as storage. I also reset my DSL modem to factory defaults.

 

Now call me crazy, after this reformat is there a chance this "W M Light" person could hit me again? I'm worried he's targeted me and just constantly looking for an in, god only knows why. Like I said I'm a student and on a personal pc not part of some company. I mean they could possibly get what little money I have.

 

My question now is, is there a chance this person could come back after the reformat just using my MAC address or the MAC address of my DSL modem (a 2Wire with Bell Canada)? Or am I just being paranoid,  I'd really like something to try and return my piece of mind. I've put a lot of money into my PC and Steam games and I also use it as my primary tool for my craft (illustration) with Adobe CS6 and a nice Wacom.

 

Talking to friends who work in IT the theory is it's either a piece of malicious java code that got into my Chrome install or a backdoor letting the same dude into my system. Again though, nothing even vaguely solid in terms of an answer.

 

Sorry if this is the wrong place to ask this question.

 

Thanks for any help and/ or advice.

 

Link to post
Share on other sites

additionally ...

is there any particular reason that you are using google chrome browser ?

switch over to firefox (after you get done in the malware removal section) .

this will help show if the incident is browser specific .

 

i did find a couple of possibly related references to "w m light" :

http://wiki.wmtransfer.com/projects/webmoney/wiki/WM_Keeper_Light

xxxxlight.wmtransfer.com/v3/Login/Login?ReturnUrl=%2Fv3xxxx(obfuscated)

yeppers ... good reason to head over to the malware removal section .

 

i believe i found your other posting ...

"The part that confuses me is that the "intrusion" only ever happened in Chrome. With Chrome closed I got no odd behavior of my system. Steam, Firefox (though admittedly I didn't run firefox long enough to be sure, Warframe and Diablo 3 (the two games I played since the first "attack") all seemed to work fine."

 

you may have to be more *selective* in the future about certain programs and their sources .

also , upgrading your AV/AM solutions should be given due deliberation .

MSE was farmed out to a third party some time back ... i would find another program .

Link to post
Share on other sites

I've already decided to take the safest route and wipe the system and start with a fresh install of Windows 7, is it still necessary to go through the malware removal process?

 

The machine has been online for a total of 5 minutes since the 2nd attack just long enough to update Malwarebytes, MSE and Super Anti-Spyware so I could scan my external backup drive. I also forgot to mention I bought Malwarebytes PRO between the two attacks to get real time protection.

 

I use Chrome because I like the interface more than Firefox or anything else, preference really.

 

Any suggestions to an MSE alternative? I used to use Antivir but that got all kinds of annoying and obstructive a few years back so I switched to MSE.

 

Since I scanned my backup drive, which came up clean the machine hasn't even been on let alone online and I don't dare plug in the ethernet cable till I get the drive wiped.

 

Is there a chance whatever this is could survive the format? Do I need to tell the store to "re-certify" the drive (is that even still a thing?) or do some kind of lower-level format to make sure it's blank as blank can be? Keep in mind I am getting a new hybrid drive to use as my primary Windows drive, this current infected drive will be purely secondary storage.

 

Thanks for the suggestions and theories, and yes I will definitely be more selective about where I get software. I must've got duped into visiting a fake site like a newbie. Definitely all on me, but I hope to fix it and get my machine back soon.

Link to post
Share on other sites

"The machine has been online for a total of 5 minutes since the 2nd attack just long enough to update Malwarebytes, MSE and Super Anti-Spyware so I could scan my external backup drive"

my reply : "how long does it take to get into a train wreck" ?

:lol:;)

 

as you have decided to do a full wipe and install there normally would be no need to head over to the malware removal section .

(there are some types of nasties that can get into the "deep" levels of a HDD , perhaps DHL or someone else would care to elaborate)

 

as for what protection to use ...

there is a "no endorsement policy" in effect in these forums .

personally speaking , i use "paid for" versions of "ESET smart security 7" and a couple of other programs ... malwarebytes being among them .

there is a list and blurb about AV products located here : https://forums.malwarebytes.org/index.php?showtopic=140779

Link to post
Share on other sites

Just to add....

 

If you did a complete format, together with new partitions (performed FDISK) on the drives, then you should be safe and no need to go to the malware removal forum.

 

If you only formatted, or installed over the existing partition and did not remove partitions or FDISK the drive.... and you were infected with a MBR virus or malware or rootkit then perhaps you could still go over to the removal section to ensure your clean... its up to you....

Link to post
Share on other sites

I bought a new 1 TB Western Digital Black drive and used that as my Windows partition, the old drive is going to be used as secondary storage. I had the store where I bought the machine do the work as I'm a full time student in my last year (ie very busy). Picking up the machine tomorrow, they said they wiped and FDISK'd the old drive.

 

In the past they've been good about their work and what they said they did or did not do. Of course this is my first experience with a piece of malware or trojan and getting invaded/ intruded/ hacked/ whatever you want to call it. So its possible their lying and they just wiped the drive but didn't perform FDISK. Though I have no reason to suspect they'd do that. 

Link to post
Share on other sites

  • Root Admin

No way to tell without forensic analysis which no one will do for free as it's quite time consuming.

 

You should be all set then once you get the system back.  If you need anything else let use know but otherwise good luck with the computer and your classes.

 

Take care

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.