Having trouble with Chrome sending strange malicious requests

[Dal]

Hi I have attached the relevant logs from farbar as instructed. I seem to be getting Chrome sending strange requests sometimes to some fairly benign sites which is when my ESET anti-virus pops up telling me whether to allow the request and then some clearly malicious sites that Premium MalwareBytes picks up. Done a scan on both and ESET nor MB has picked anything up. I have ESET, MB Anti-Malware and Anti-Exploit.

Addition.txt

FRST.txt

Edited April 4, 2017 by Dal

[Android8888]

Hello Dal and  Forums.

I'm Android8888 and I'll be helping you with your malware issues. Please ask questions if anything is unclear.

I suggest printing out each set of instructions or copy them to a Notepad file and reading the entire post before proceeding. It will make following them easier.

Please DO NOT run any tools on your own and follow the directions in the order listed.

Make sure to run all the tools from the Desktop and with Administrator privileges.

Going over your logs I noticed that you have Deluge installed.

• Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
• They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
• Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
• The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  

It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall Deluge, however that choice is up to you. If you choose to remove these programs, you can do so via right-click on Start > Control Panel > Programs and Features.
If you wish to keep it, please do not use it until your computer is cleaned.

Follow the instructions below to execute a fix on your system using FRST, and provide the log in your next reply.

• Download the attached fixlist.txt file, and save it on your Desktop (or wherever your FRST64.exe executable is located); DO NOT open that file!
• Right-click on the FRST64 executable and select Run as Administrator;
• Click on the Fix button;
  
  Credits: Aura
• On completion, a message will come up saying that the fix has been completed and it'll open a log in Notepad;
• Please attach the fixlog.txt in your next reply;
  

• Download Junkware Removal Tool (JRT) and move it to your Desktop;
• Right-click on JRT.exe and select Run as Administrator;
• Press on any key to launch the scan and let it complete;
  
  Credits: Bleeping Computer and Aura
• Once the scan is complete, a log will open. Please attach that log in your next reply;
  

• Download AdwCleaner and move it to your Desktop;
• Right-click on AdwCleaner.exe and select Run as Administrator;
• Accept the EULA (I accept), let the database update, then click on Scan;
• Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Cleaning button. This will kill all the active processes;
  
  Credits: Aura
• Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it;
• After the restart, a log will open when logging in. Please attach that log in your next reply;
  

Please read the instructions below and make a clean install of Malwarebytes from version 2 to version 3. Note: Your current licence will activate new version of Malwarebytes to current status.

Download MBAM-clean and save it to your computer Desktop.
 
Right-click on mbam-clean.exe icon and select Run as administrator to start the tool.
It will ask you to reboot the machine - please do so.
Run the MBAM-clean tool again and reboot when complete. NOTE: DO NOT miss this step.

If you have lost the activation licence key information it can be located here

Download Malwarebytes version 3 from here and save it to your Desktop or anywhere else on your system since you know where is located.

Double click on the installer and follow the prompts to install the program. If necessary select the blue Help tab for video instructions.

When the install completes and is updated do the following:

• Open Malwarebytes;
• On the left pane select Settings;
• Then select the Protection tab;
• Scroll down to Scan Options and ensure Scan for Rootkits and Scan within Archives are both on.
• Go back to DashBoard and select the blue Scan Now tab.
• When the scan completes, if potential threats are detected, ensure to checkmark all the listed items, and click the Quarantine Selected button.
• Select Export Summary and then Text File (*.txt). Give a name to the log and save it;
• Please attach that log in your next reply.

To summarize please attach the following logs in your next reply:
The fixlog.txt produced by FRST;
The JRT.txt log;
The AdwCleaner clean log;
The Malwarebytes log.

Let me know how is the computer running at this point and what issues are you still having on the system.

Thank you.

fixlist.txt

[Dal]

Hi there, I've attached all the relevant logs as you asked. I'm still getting these weird requests when I'm in chrome. I saw a chrome extension removed but that doesn't seem to have fixed it. Although it does seem less frequent now that extension has gone.

 

 

AdwCleaner[S0].txt

Fixlog.txt

JRT.txt

MalwareBytesLog.txt

[Android8888]

Hello Dal.

The logs do not show signs of active infection.

Please proceed as follow:

Please download Zemana AntiMalware and save it to your Desktop.

• Right-click on the icon and select Run as administrator to install the program.
• Click Yes to accept the security warning.
• Once the installation is complete it will start automatically.
• Without changing any options, press Scan to begin.
• After the short scan is finished, if threats are detected press Next to remove them.
  Note: If restart is required to finish the cleaning process, you should click Reboot. If reboot isn't required, please re-boot your computer manually.
• Click on the Back button.
• On the top right corner click on Reports icon (the one with three bars) and double click on the latest report.
• Now click File > Save As, then choose your Desktop and click the Save button.
• Please attach the saved report in your next reply.

Next,

Clear cache and cookies of Chrome browser:
How to Clear Cache and Cookies

Reset the Chrome browser:
How to reset Chrome browser

Please attach the Zemana log and let me know if the problem persists.

Thank you.

Android8888

[Dal]

Hi there,
I've attached the Zemana log. It didn't find anything. It's just my eset and MalwareBytes Premium pops up issues with sites trying to connect that look very dubious. 

Sites like cloud-iq.com and the following log that raised suspicion:

 Time;URL;Status;Application;User;IP address;SHA1
05/03/2017 12:31:08;https://f6fa82c4a9967c5b8d99933b1196dfed.info;Blocked by internal IP blacklist;C:\Program Files (x86)\Google\Chrome\Application\chrome.exe;THATONE\thatone;195.22.26.248;226DFCF2DDA05416CFE340C1CE62EE0B055BBF0B

 

2017.04.11-20.26.15-i0-t92-d0.txt

[Android8888]

Hello Dal.

Please read the instructions below to download and install RogueKiller, perform a scan and attach the produced log for my review. Let me see what can we find about that in the log.

Please download RogueKiller 32/64 Bits Installer (setup.exe) by Tigzy and save it to your Desktop.

• Right click on the file setup.exe and select Run as administrator to install the tool.
• Click Yes to accept any security warnings that may appear.
• Choose the installation language and click OK.
• Checkmark "Install 32 and 64 bits versions" and click Next. Follow the steps to install the tool.
• Now close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Right-click on the RogueKiller icon and select Run as administrator.
• Click Yes to accept any security warnings that may appear.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• Once finished click on Open Report. It will open a new window.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.
  

Please attach the RKlog.txt to your next reply.

Note: Please DO NOT remove any entries it finds.They are not all bad and need to be carefully reviewed.

Thank you.

[Dal]

Hi,

I've attached the rogue killer log. Please also find attached just one example of ESET pops up initiated by Chrome. Most are random, ad-based websites.

RogueKiller.txt

[Android8888]

Hello Dal.

• Close all programs and browsers.
• Please disconnect any USB or external drives from the computer before you run this scan!
• Re-run RogueKiller.
• Right-click on the icon and select Run as administrator.
• Click the Scan tab and then click the Start Scan button.
• Wait until the scan has finished. This may take some time consuming.
• When the scan completes:

Checkmark (tick) the following against Registry entries and ensure that all other entries are not checkmarked.

[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1001\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1003\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1003\Software\Microsoft\Internet Explorer\Main | Start Page : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1003\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-2223792075-1835208526-1192499796-1003\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus15.msn.com/?pc=ASTE -> Found

• Click on Remove Selected button.
• Click Export TXT to export the report as a text file, give a name to the file such as RKlog.txt and save it to your Desktop.
• Close RogueKiller.

Please attach the RKlog.txt to your next reply.

Test and see if those random popups still appear.

If they do, please read the instructions in the link below and see if that can help you to solve the issue.
Fix connection errors

p.s. I will be out tomorrow April, 13th and will be back on April 18th. Until then we will try that someone can continue working in your topic. I'm sorry for the inconvenience.

Thank you for your understanding.

Android8888

 

[AdvancedSetup]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!