Jump to content

Suspected virus redirecting in Chrome


JC1
 Share

Recommended Posts

Chrome has been hanging lately on a relatively new computer, nothing else hangs.  I've had web pages forwarding to unexpected page (now blocked by MWbytes since installing).  It doesn't redirect every page, maybe 1 out of 10, and seems to go in spurts.  Common links are:

"d-80-live.com:55724" and "cdn.epom.com:53904" (and various other numbers at the end).

Things I have tried, in order:
-Full scan with Microsoft Security Essentials (a week or so ago, found nothing).
-CCleaner (a week or so ago, no change).
-Threat Scan with Malwarebytes (4/9, 4/15, and today, 4/17).  First time (4/9) it found a file in the Multiwinia (game I installed, legally purchased and downloaded from the developer) installation directory, "COPY_ASSIST.EXE" which MWB labels as a "Trojan.PasswordStealer".  I went ahead and deleted that file.  I did notice in the Scan Report from MWB that "Rootkits:" lists as "Disabled".  I manually ran a custom scan for rootkits in MWB just now, and did not identify any threats.
-ADWCleaner (found nothing).
-Uninstalled and reinstalled Chrome, (couple days ago, no change).
-HitmanPro (couple days ago found nothing).
-Malwarebytes (today, as mentioned above, found nothing).
-Farbar Recovery.  This throws an error (attached image) on startup, but runs anyways.  Logs are attached.

 

 

FarBar load error.PNG

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello JC1 and welcome to Malwarebytes,

My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please:

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...

Open Malwarebytes, select > "settings" > "protection tab"

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Go back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply...

Next,

Download AdwCleaner by Xplode onto your Desktop.
 
  • Double click on Adwcleaner.exe to run the tool.
  • Click on the Scan in the Actions box
  • Please wait fot the scan to finish..
  • When "Waiting for action.Please uncheck elements you want to keep" shows in top line..
  • Click on the Cleaning box.
  • Next click OK on the "Closing Programs" pop up box.
  • Click OK on the Information box & again OK to allow the necessary reboot
  • After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed...


Next,

Please download Junkware Removal Tool to your desktop.
 
  • Shut down your protection software now to avoid potential conflicts. (re-enable when done)
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.


Next,

Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop

Ensure to get the correct version for your system....

32 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

64 Bit version:
https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en

Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.

Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\mrt.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Next,

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt"

Let me see those logs, also tell me if there are any remaining issues or concerns...

Thank you,

Kevin....

 

Link to post
Share on other sites

Thank you for the help.  I have performed the process below.  Unsure yet if the issue still exists as it comes/goes in spurts.  Is there anything in the logs that implies something was found and cleared?

MWB: Enabled "Rootkits" check.  "Archives" check was already enabled.
Ran scan.  No threats found, nothing quarantined.  Checked the report to confirm that everything was still enabled.  Exported log as "1-BWB log.txt"
Re-downloaded AdwCleaner from the link above.  Ran scan. "AdwCleaner found no thread on your computer!"  Did not get the message "Waiting for action......"  Clicked "Clean".  Clicked "OK" to "All programs will be closed....."  Clicked "OK" at info box.  Clicked "OK" to allow reboot.  Received "ShellHelper.exe - Application Error" on shutdown.  Image "ShutdownError.jpg" attached.  Logged back in to Win7.  AdwCleaner log "AdwCleaner[C0].txt" open on startup in Notepad.  Started AdwCleaner, Clicked "Logfile" box.  Today's log file titled "AdwCleaner[S2].txt"
Downloaded and ran "Junkware Removal Tool" from the line provided above.  Pressed any key when prompted.  Log "JRT.txt" attached.  Tool closed automatically when I closed the log file.
Downloaded 64 bit version of "Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64" from the link above.  Chrome automatically downloaded to my Downloads folder, so I moved it to the desktop.  It was the only file named "Windows-KB890830-x64-V5.47.exe" in the downloads folder and the date modified matched my download time.
Realized I did not run the "Junkware Removal Tool" as administrator.  Re-ran as admin.  Pressed any key.  Saved log as "JRT2.txt"
Ran Malicious Software Removal Tool.  Clicked "Next >".  Quick scan already selected.  Clicked "Next >" to run scan.  Clicked "View detailed results of the scan." which showed a long list of "Not infected".  Clicked "Finish".  Log "mrt.txt" attached.

Re-downloaded and ran Farbar.  Received a very similar error on startup, attached as "FarbarError.png"  Log files "FRST.txt" and "Addition.txt" attached.

Of note: I normally have ports 4000 and 4001 forwarded on my router.  This is a workaround for Multiwinia (game mentioned above) with a few players.  I disabled that last night before posting the request for help and have not had issues since.  I'm not convinced that was the root cause.

*Not noted, but had to re-load Chrome to continue reading directions a few times during the process.  Did not do so while any of the above requested programs were running.
**Clicked yes to allow above mentioned programs to make changes to the computer as requested.
 

1-BWB log.txt

Addition.txt

AdwCleaner[C0].txt

AdwCleaner[S2].txt

FarbarError.PNG

FRST.txt

JRT.txt

JRT2.txt

mrt.log

ShutdownError.JPG

Edited by JC1
Link to post
Share on other sites

Logs are not indicating any obvious malware or infection, the ERUNT alert is a gliche with FRST, usually a registry backup is copied on initial run using ERUNT. I`ve seen that reported before in 2015, there was no known reason.

Can you post logs to show last 3 blocks by Malwarebytes...

Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply...

Thank you,

Kevin...

Link to post
Share on other sites

Thanks fror those logs, it would seem the problem is with Chrome browser itself, lets go for a clean install of Chrome and see if that helps...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html

Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway...

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Install Google Chrome :

Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb

Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en

Does that help...?
 
Thank you,
 
Kevin
Link to post
Share on other sites

Reset Chrome sync
Uninstalled Chrome, including browsing data.
Deleted folder in AppData\Local.
Re-installed Chrome.
Installed Adblock Plus extension from link above.
Installed DrWeb Link.... extension from link above.

I'll report back in a day or two if the issue is gone, or sooner if it recurs.  Thank you again for the help.

Link to post
Share on other sites

  • 2 weeks later...

What is happening JC1, if no remaining problems run the following to clean up...

Download "Delfix by Xplode" and save it to your desktop.

Or use the following if first link is down:

"Delfix link mirror"

If your security program alerts to Delfix either, accept the alert or turn your security off.

Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator

Make Sure the following items are checked:

 
  • Remove disinfection tools <----- this will remove tools we have used.
  • Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created.
  • Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection


Now click on "Run" and wait patiently until the tool has completed.

The tool will create a log when it has completed. We don't need you to post this.

Any remnant files/logs from tools we have used can be deleted…

Next,

Read the following links to fully understand PC Security and Best Practices, you may find them useful....

Answers to Common Security Questions and best Practices

Do I need a Registry Cleaner?

Take care and surf safe

Kevin... user posted image
Link to post
Share on other sites

  • 3 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.