Jump to content

Chrome Keeps Trying to Access 198.105.244.114


msjg
 Share

Recommended Posts

It started this morning after I booted my laptop at work. I had been online, and using Chrome from home from about 2 AM to 5 AM, (mostly on reddit and Google News) then shut down to pack up and go into the office. When I got into the office, I booted up as usual, but when I opened Chrome MWB started blocking repeated outgoing attempts to IP 198.105.244.114. All of the fake domain names were 'randomjumbleofletters.home' and all with the IP 198.105.244.114. Here's just a few:

  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, bxustfudke.home, 60995, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, bxustfudke.home, 60995, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, fnpjlcqdj.home, 60996, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, fnpjlcqdj.home, 60996, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, xjkwmkamrtdvlg.home, 60997, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, xjkwmkamrtdvlg.home, 60997, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Detection, 9/8/2015 7:29 AM, SYSTEM, BLACK, Protection, Malicious Website Protection, IP, 198.105.244.114, xjkwmkamrtdvlg.home, 61002, Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,
  • Outbound, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe,

I immediately shut down Chrome and did a Threat Scan, and when that found nothing, I went back and did a full, custom scan, including the rootkit scan option. Again, nothing was found.

 

Attached are the full MWB Daily Log; FRST and Addition texts for more information.

 

I'm using Firefox now, and have it set as my default browser until this issue is resolved.

Addition.txt

daily_log_08-Sept-2015.txt

FRST.txt

Link to post
Share on other sites

Hello and welcome,

P2P/Piracy Warning:

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

Next,

 

Please open Malwarebytes Anti-Malware.

  • On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
  • Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
  • Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • With some infections, you may or may not see this message box.

            'Could not load DDA driver'
  • Click 'Yes' to this message, to allow the driver to load after a restart.
  • Allow the computer to restart. Continue with the rest of these instructions.
  • When the scan is complete, click Apply Actions.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.



To get the log from Malwarebytes do the following:

  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have three options:

      Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
      Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
      XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


 

Next,

 

Download AdwCleaner by Xplode onto your Desktop.

  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...

 
Next,
 
thisisujrt.gif Please download Junkware Removal Tool to your desktop.

  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


 

Next,

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the two logs....
 

Let me see those logs in your reply...

 

Thank you,

 

Kevin..

Link to post
Share on other sites

Thanks, Kevin. I'm running the Malware Bytes scan again. Just FYI, I already had set "scan for rootkits" and for PUP and PUM "treat as malware" - been set that way since I first starting using MBAM. I'll follow the rest of the steps you have outlined and will post the results when done. It'll be a few hours.

Link to post
Share on other sites

Hi Kevin,

 

Followed all of your instructions, and all of the logs are attached. I haven't started Chrome yet since doing all of the scans [...] Okay, just opened it and there were no occurrences. Hopefully that's a good thing. Now I just have to figure out where/how the hell I picked whatever that was. I'm usually pretty good about keeping my machines clean, so this is bothersome. :-/

 

 

Addition_002.txt

AdwCleanerC5.txt

FRST_002.txt

JRT.txt

scan_log_08Sept2015_1906.txt

Link to post
Share on other sites

Thanks for those logs, good to hear we are making progress. Continue as follows please:

 

Download attached fixlist.txt file (end of reply) and save it to the Desktop, or the folder you saved FRST into.
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt) or the folder it was ran from. Please post it to your reply.
 

Next,

 

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and  Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

 

Next,

 

Download Security Check by screen317 from either of the following:

http://screen317.spywareinfoforum.org/SecurityCheck.exe or http://screen317.changelog.fr/SecurityCheck.exe

Save it to your Desktop. (If your security alerts either accept the alert, or turn the security off while Secuirity Check runs)
Double click SecurityCheck.exe (Vista or Windows 7/8 users right click and select "Run as Administrator") and follow the onscreen instructions inside of the black box. Press any key when asked.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

If Security Check will not run or you get an alert saying it is not supported, Re-boot your PC then try again...

Post those logs, also let me know if you have any remaining issues or concerns...

 

Thank you,

 

Kevin...

 

 

Fixlist.txt

Link to post
Share on other sites

Yeah, so, I may have celebrated too soon. Same thing happened again this morning. Wasn't getting the notifications until I got into work, booted up and started Chrome. Same poop, different day. So I did everything I did yesterday again, with the fews steps you added above.

 

Then this got me to thinking (which I should have done yesterday): The only difference between when I'm work and home, besides the personal vs. employer wifi, is that at home I have an external drive. Yesterday morning I was unable to access my external drive (F:), but I dismissed it because I was in a hurry to leave for work and shut down my laptop. The issue began when I booted back up again when at work. Now, last night my laptop was still not recognizing my external drive until *after* all of the scans/steps were completed and laptop rebooted. Everything worked fine (or seemed to be) until I shut down (disconnecting from external drive) and booted back up when I got to work - then the outgoing crap started again. So now I am back home, with my external (F:) drive connected and am doing a full scan (rootkit, treat PUP/PUM as malware, etc) on it. I'll follow all of the steps you listed in your replies above on it as well (unless you think it's not necessary).

 

Anyway, the latest requested results files are attached.

Fixlog.txt

mrt_001.txt

checkup.txt

Link to post
Share on other sites

Okay, I fully scanned my system again using MBAM (Premium) and Windows Defender; installed and ran MCShield and all scans came up clean for all drives - internal and external.

 

Now it's time for a little experiment.

 

This is what happens -

Clean -> Everything looks great -> Use Chrome with no outbound crap happening and all drives connected -> Shut down -> Disconnect external drive -> Go to work -> Start up -> Open Chrome -> Issue immediately reappears with MBAM blocking the whatever it is.

 

So now that I've run everything again, and my system appears to be clean, I'm going to open Chrome and do some basic stuff (read the news, browse reddit, watch stupid videos on youtube). Then I'm going to close everything down. Disconnect everything from my laptop, then start up and see if the issue occurs again. Be back in an hour or so.

Link to post
Share on other sites

WiFi.

 

I'm thinking the same thing. Machine has been working fine all night/morning. It's 5:45 AM here now, and I'm getting ready to shut down and head out. It'll be a couple of hours before I'm able to boot up there. I'll let you know what happens.

Link to post
Share on other sites

Told the boss about the issue, explained what we've been doing, what the issue was, and showed him this page, and the logs. He called one of his 'security' friends, who basically told him to disconnect the routers, place them in the driveway, and run them over with his truck. Then after he's done that, to go out and buy a couple of AirPort Extremes, and lock them down.

 

He didn't do that. (Though I kind of wish he had. I would've liked to witness that.) Instead he reset the router, changed the password, called the service provider, and basically spent the entire day running around disconnecting, reconnecting and reconfiguring things while on the phone with various tech support people. He was still at it when I left.

 

I've never encountered anything like this before... A Chrome specific router malware. WTF?

Link to post
Share on other sites

Nothing surprises me on the malware/infection front... at least we know where the fault is...

 

I guess we can clean up tools etc...

 

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:



  •    
  • Remove disinfection tools
       
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
       
  • Reset system settings



Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

 

Next,

 

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and bst Practices

Do I need a Registry Cleaner?
 

Let me know if we are ok to close out...

 

Thank you,

 

Kevin..

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.