Jump to content

Malwarebytes does not detect Chrome Google CSE redirect malware/virus


Recommended Posts

I have some sort of malware affecting google chrome. It is very buggy when it runs, it sometimes crashes, and when you use the omnibar to search for anything, it redirects to a google custom search cse.google.com. Malwarebytes premium wont detect anything. I've uninstalled/reinstalled chrome multiple times, followed the instructions on a couple different you tube videos that offer a solution to this issue, all to no avail. I have already run farbar and the appropriate files are attached. Not sure what to do at this point so here we are.

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello @jeffbindel and :welcome:

More than likely just an entry for Chrome. Unfortunately a typical uninstall of Chrome leaves plenty of files and registry entries. Also, if you have a signed on account that syncs it will put it back when you log back on after a reinstall.

I notice you're using PIA which uses random files. I'd suggest looking at these articles on how to control that or look at using a different VPN.

Run rubyw.exe from Fixed Location with Personal Firewall

Private Internet Access rubyw.exe connections explained

 

From the logs.

What is this scheduled task and what is it doing?

Task: {2DF40855-18BA-472D-8815-19D1971BDBDB} - System32\Tasks\63225-45253-41608 => Rundll32.exe "C:\ProgramData\63225.45253.41608\63225.45253.41608.dll",QueryActiveSession

Task: {B05F8934-5804-45FE-8D4A-B642A484FD96} - System32\Tasks\7463-65067-27146 => Rundll32.exe "C:\ProgramData\7463.65067.27146\7463.65067.27146.dll",QueryActiveSession

There is also a hack on the computer designed to Steal or Pirate Windows or Office and should be removed.

Task: {B114CC50-F76E-4300-B14B-120E13C6A8BD} - System32\Tasks\AutoKMS => E:\AutoKMS\AutoKMS.exe

Really don't see why anyone would try to steal Windows 10 when it was offered for free for over a year.

That said, unless the DLL query task somehow put back the google custom search (highly doubt that) then I don't see any malware of other threats that would cause that behavior. A good, proper clean removal of Chrome and then monitor to ensure all was removed should correct this.

 

 

Link to post
Share on other sites

13 hours ago, AdvancedSetup said:

Hello @jeffbindel and :welcome:

More than likely just an entry for Chrome. Unfortunately a typical uninstall of Chrome leaves plenty of files and registry entries. Also, if you have a signed on account that syncs it will put it back when you log back on after a reinstall.

I notice you're using PIA which uses random files. I'd suggest looking at these articles on how to control that or look at using a different VPN.

Run rubyw.exe from Fixed Location with Personal Firewall

Private Internet Access rubyw.exe connections explained

 

From the logs.

What is this scheduled task and what is it doing?

Task: {2DF40855-18BA-472D-8815-19D1971BDBDB} - System32\Tasks\63225-45253-41608 => Rundll32.exe "C:\ProgramData\63225.45253.41608\63225.45253.41608.dll",QueryActiveSession

Task: {B05F8934-5804-45FE-8D4A-B642A484FD96} - System32\Tasks\7463-65067-27146 => Rundll32.exe "C:\ProgramData\7463.65067.27146\7463.65067.27146.dll",QueryActiveSession

There is also a hack on the computer designed to Steal or Pirate Windows or Office and should be removed.

Task: {B114CC50-F76E-4300-B14B-120E13C6A8BD} - System32\Tasks\AutoKMS => E:\AutoKMS\AutoKMS.exe

Really don't see why anyone would try to steal Windows 10 when it was offered for free for over a year.

That said, unless the DLL query task somehow put back the google custom search (highly doubt that) then I don't see any malware of other threats that would cause that behavior. A good, proper clean removal of Chrome and then monitor to ensure all was removed should correct this.

 

 

Thank you for your input. Removed AutoKMS. I don't know what those two tasks are. Also, other than just "uninstalling" Chrome what steps to I take to ensure it was completely and cleanly removed before attempting reinstall? And is there a way to be able to log back in to Chrome without it putting it all back? Thanks again for the assistance.

Link to post
Share on other sites

  • Root Admin

Yep, pretty easy. I'll give you the basics for "resetting your browsers". Do that, then make sure you pay attention to the part about signing into Google and disabling your Sync. Make sure you export your bookmarks otherwise you'll lose them. Then go ahead and uninstall Chrome normally and reboot. After the reboot run the FRST program and post back those 2 logs and I'll review to assist you further with any other Chrome removal procedures.

 

Please visit each of the following sites and let's reset all of your browsers back to defaults to prevent unexpected issues.
If you are not using one of the browsers but it is installed then you may want to consider uninstalling it as older versions of some software can pose an increase in the potential for an infection to get in.

Internet Explorer
How to reset Internet Explorer settings

Firefox
Click on Help / Troubleshooting Information then click on the Reset Firefox button.

Chrome

I would like to reset Chrome back to defaults to completely clear out what is going on with Chrome.

You can keep your “Bookmarks” if you want to keep them, but you have to export them first – >> Export Bookmarks << – Everything else should be removed.

Then I need you to go to >> Google Sync << and sign into your account.
Scroll down until you see the reset sync button and click on the button
At the prompt click on Ok.

.
Reset Your Browser Settings
.

  1. In the top-right corner of the browser window, click the “Chrome Menu” icon (Three horizontal lines)
  2. Select Settings.
  3. At the bottom, click Show advanced settings…
  4. Scroll down until you see “Reset settings”, Then click on the button Reset Settings.
  5. In the dialog that appears, click Reset.

.
Close Chrome and go to the Control Panel, Programs and uninstall Chrome. Then restart the computer and run the following for me.

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Link to post
Share on other sites

Okay, all the above has been done. I also attached the log from ADWCleaner that shows the registry key that keeps getting changed. Running ADW cleaner doesn't solve the issue though. After telling it to fix the registry key and reset the PC, if you scan again it will still show up as if it wasn't fixed. I also attached the Malwarebytes scan log from when it detected malware. It was on the regular scheduled overnight scan that ran the morning of the 3rd. Not sure why it showed up then but not other times. The images are just screenshots of what else chrome has been doing since I started having problems with it. When staring chrome, it repeatedly runs out of memory and will flash black. sometimes it will stay "black" and Ill have to restart chrome in order to be able to do anything with it. Clearing the cache seems to help for a second but it starts acting up again after a bit.

FRST.txt

Addition.txt

Malwarebytes scan log.txt

AdwCleaner[S14].txt

Chrome error 1.PNG

chrome error 2.PNG

Link to post
Share on other sites

  • Root Admin

As I explained in my post ID 2 there is a random file created by your Private Internet Network application doing VPN. It uses Ruby which creates a temporary file that MBAM and other Antivirus see as an executable running out of a temporary folder and blocks it or at least labels it as malware. The links provided are means to stop that behavior.

Please disable or uninstall your Spybot - Search & Destroy 2 so that it does not block our changes or restore things back we've changed.

 

STEP 1

Please Run TFC by OldTimer to clear temporary files:

  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 

STEP 2

Please download the correct version of SystemLook for your computer and save it to your desktop.
You can check here if you're not sure if your computer is 32-bit or 64-bit

SystemLook 32-bit x86 | or | SystemLook 64-bit x64

  • If using Windows XP just double click on SystemLook.exe to run it.
  • For all other versions of Windows, right click over SystemLook.exe or SystemLook_x64.exe and choose Run as administrator to run it
  • Copy the contents of the following code box into the main text field - including the colon characters.
  • Copy the contents of the following code box into the main text field - including the colon characters.

     

    :filefind
    *GOOGLE*
    *CHROME*
    :folderfind
    *GOOGLE*
    *CHROME*
    :regfind
    GOOGLE
    CHROME
  • Click the Look button to start the scan

  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

  • Note: The log can also be found on your Desktop named SystemLook.txt

STEP 3

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thank you

Ron

 

 

Edited by AdvancedSetup
Link to post
Share on other sites

I followed the steps for setting up PIA to not use random files the last time, but I didn't delete the old files. I double checked to make sure I went through the steps correctly and then I deleted the old temp files that it created, which now seems kind of redundant because I ran the temp file cleaner immediately after that, lol. Steps 2 and 3 also complete, and results posted below.

SystemLook.txt

Fixlog.txt

Link to post
Share on other sites

  • Root Admin

Please run the following to clean up some Google and Chrome entries left over.

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

 

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.