"hijack.drives", Google Chrome related?

[Double]

Today, from out of the blue, my Chrome web browser notified me that: "Chrome detected that your browser settings may have been changed without your knowledge. Would you like to reset them to their original defaults?".... what just happened? I did some searching around, and found this news article, published within the last 8 hours.

 

After reading suggestions by Google that I may have acquired malware of a sort, I decided to do a scan with Malwarebytes Pro in safemode. It found "hijack.drives" (attached), which it then prompted to quarantine. How the heck did this get on my system, and is it something I should be concerned about?? The name of the find itself doesn't sound very friendly, and the fact my browser settings was changed by some unknown entity has had me paranoid. I have no idea if this "hijack.drives" is linked to the Chrome problem above.

 

A pinned listing posted today on the Google Chrome Forums state that the 'reset' message is related to Chrome extensions. I found another article posted today regarding cleanup written by the vice-president of engineering.

 

Can someone help me make sense of all this? I don't quite know what to do. A lot of the extensions I use contain sensitive information, such as the Lastpass extension which contains all my passwords. I'm hoping that nothing else inside my browser was exploited except browser settings. I'm tempted to do a System Restore to reverse what has happened:

[Double]

*another thing worth mentioning, is that I couldn't tell that any changes were made to my Chrome settings, everything looked the same... so why did the 'reset' message appear?

[John L. Galt]

TBH, these two things *seem* unrelated.  In the articles that you linked to (and others that I found written within the last 24 hours) it seems to me that Google is trying (very badly, I might add) to explain that

1. They added this reset button a while back - as early as October, according to at least one article, and that
2. Since the number of users who seem to not realize that it has been been added to Chrome and keep clamoring for a way to get rid of malicious addons to their Chrome keeps rising, they have caused Chrome to check all local installs and throw a pop-up at Chrome users whose settings are not default settings.

I may be wrong, but that seems the gist of it.  I *could* be wrong, but that is what I took from the various articles.

 

As for the scan that you got, well, I went looking in the registry, and it took me a while to see that your false key found is not HKCR\Drive\shell, which is a legitimate key, but instead HKCR\Drive\shell| (note the | at the end of the word shell, making it look like 3 lowercase letter "L"s), which is most definitely not a legitimate key.

 

I don't think this illegitimate key is related to the notice that you got, however, just to be safe, I think a staff member will want to take over and help you scan your system for malware, just to be sure.

[AdvancedSetup]

Yes, as with any suspected infection we only work on them in one specific forum.

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.


Thanks

[John L. Galt]

Thanks, Ron - wasn't sure if you'd direct the OP there or else start with something else, so I just backed off.

[Double]

I had no problem removing the "Hijack.Drives" infection w/MBAM, but I'm wanting to know what potential damage it did. The "hijacking" part doesn't sound like it was supposed to play nice. After removing the infection from within safemode, my MBAM icon returned to normal. That was really the only noticeable change this malware had.

 

To be honest, I'm not really sure if Chrome had anything to do with this, i think the 'reset' message just coincided with something else.

 

About a week ago I downloaded a 'Photoshop Creative Cloud' crack off of a shared Youtube link which consisted of a .zip file containing 2 .dll files which were to replace two other .dll files inside two separate Photoshop folders (one in the x64 bit folder and another in the x86 folder) which unlocks the program. I am beginning to think this may have been the cause of the malware, but I cannot say for sure. I do not condone my actions, but because the method looked so easy to unlock in the video, i thought it was way too good to pass up.

[daledoc1]

Hi, Double:
 
Until AdvancedSetup and John L. Galt return....
 
As we can't work on this sort of issue in this area of the forum, if you would like expert help, I would suggest that you please follow their advice:
 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

 
However, please be aware of the Piracy Policy which requires that all cracks, keygens and other illegal software be removed before assistance can be provided.

Once such software has been fully removed, one of the malware experts will be happy to assist you.
 

About a week ago I downloaded a 'Photoshop Creative Cloud' crack off of a shared Youtube link which consisted of a .zip file containing 2 .dll files which were to replace two other .dll files inside two separate Photoshop folders (one in the x64 bit folder and another in the x86 folder) which unlocks the program. I am beginning to think this may have been the cause of the malware,

 
Thanks very much for your patience and understanding,
 
daledoc1

[John L. Galt]

... but because the method looked so easy to unlock in the video, i thought it was way too good to pass up.

Spot on, daledoc.

@Double - follow Advanced Setup's recommendation and let them go through the process of ascertaining that everything is, indeed, fine with your system. Take into consideration what daledoc wrote above regarding the Anti Piracy policy, and uninstall the crack that you installed.

And, as you do seem truly penitent about it, let me add this little word of advice:

 

If something looks too good to be true, it probably isn't.

 

And if you are *really* jonesing for PhotoShop but cannot afford it, might I suggest Pixia as an alternative?

[Double]

I just scanned my newly reinstalled system with MBAM once again in safemode, it found Hijack.Drives once again. I can confirm this is not related to the Photoshop key I found (it's not installed anymore since the wipe).

 

I am beginning to think this is a false alarm of sorts, but I got to make sure. This has to be related to Chrome, it has to be. Does anyone have any relevant information as to what "Hijack.Drives" is??? Instead of referring me to different places, I'd like to understand what this so-called "infection" is before moving forward.

[Double]

I am posting a log on the recent find. As mentioned I just barely reinstalled Windows over this. After downloading and installing Chrome again, it once again detected a settings change was made without my permission, but this has been happening to others users as well since January 31st. mbam-log-2014-02-03 (00-29-45).txt

 

enabled Chrome extensions:

Image Downloader

Downloadr

ScriptSafe

Adblock

Ghostery

Web Of Trust

KB SSL Enforcer

Google Tasks

Sexy Undo

Lastpass

Google Dictionary

 

Windows apps

Xplorer2

Chrome

Synctoy

Irfanview

Visipics

Audacity

VirtualDub

7zip

Dropbox

Avast free

MBAM Pro

 

[AdvancedSetup]

There really is not much else we can do for you in this forum. To review your system and have it cleaned with the help of an Expert please follow the advice provided.

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thank you.

[Double]

I do not understand, this is the MBAM support forums? I've already done the removal part myself, from inside Safemode. If I take my topic here, I'll likely be told the same thing.

[daledoc1]

Hi, again, Double:

 

Until AdvancedSetup returns...

 

This particular area of the forum is reserved for issues with installing or running the MBAM program itself.

Malware issues or possible malware issues or issues that require in-depth troubleshooting due to hardware/software conflicts or other problems are handled in a dedicated area of the forum >>HERE<<.

In that section, trained malware experts assist the users with running a range of tools in order to detect, remove and repair damage from malware.

That work cannot be done in this particular section of the forum.

You may also find this pinned topic helpful: The complexity of finding, preventing, and cleanup from malware

 

So, if you would like further assistance, please follow the forum Root Admin's advice, as previously provided, starting with following the advice in this pinned topic: Available Assistance for Possibly Infected Computers.

 

Thank you,

 

daledoc1

[AdvancedSetup]

If you've done the removal then we're done here.  How else can we assist you?

[Double]

I'd like to know what it was, and how I re-caught it. The below also doesn't make sense, what is trying to make registry changes to my system? If you had this infection on your system, would anyone here have just left it alone?

 

As for the scan that you got, well, I went looking in the registry, and it took me a while to see that your false key found is not HKCR\Drive\shell, which is a legitimate key, but insteadHKCR\Drive\shell| (note the | at the end of the word shell, making it look like 3 lowercase letter "L"s), which is most definitely not a legitimate key.

 

[AdvancedSetup]

I'm sorry but this is not a training facility and we do not have the resources to train users on the exact mechanisms of every infection that is out there.  There are millions of them and it would require a forensic analysis of your computer to determine the exact reason.  That can take weeks and one pretty much need physical access to either a forensic image of the drive or the system itself.  You cannot do a forensic analysis without that type of access.   There are some sites out there that are dedicated to teaching and we blog about some infections and some of the security sites go into great details behind some specific infections and how they work but that is not the norm for most infections, the tools simply locate and remove.
 
We can review your system for items that might have helped to allow it but nearly impossible to tell you 100% why you got it. 

The complexity of finding, preventing, and cleanup from malware
 
 
If you do wish to receive help in the other forum to look for anything left over or ways to improve your security that's fine but please read this post and stop bumping your topic or no one will reply.

https://forums.malwarebytes.org/index.php?showtopic=9573

• After posting your new post, make sure under options, you select Follow this topic button and choose Immediate Email Notification
• One of the expert helpers there will give you one-on-one assistance when one becomes available.
• Please refrain from making any further changes to your computer (such as Install/Uninstall programs, using special fix tools, delete files, edit the registry, etc...) unless advised by a malware removal helper. Doing so can result in system changes which may hinder the attempts by a helper to clean your machine.
• Also, please do not 'bump' or add a reply to your topic once it is started. Topics which appear to have replies are considered to have an helper assisting them and may be overlooked, resulting in a longer waiting period for help.

Thanks again