JC1 Posted April 18, 2017 ID:1118059 Share Posted April 18, 2017 Chrome has been hanging lately on a relatively new computer, nothing else hangs. I've had web pages forwarding to unexpected page (now blocked by MWbytes since installing). It doesn't redirect every page, maybe 1 out of 10, and seems to go in spurts. Common links are: "d-80-live.com:55724" and "cdn.epom.com:53904" (and various other numbers at the end). Things I have tried, in order: -Full scan with Microsoft Security Essentials (a week or so ago, found nothing). -CCleaner (a week or so ago, no change). -Threat Scan with Malwarebytes (4/9, 4/15, and today, 4/17). First time (4/9) it found a file in the Multiwinia (game I installed, legally purchased and downloaded from the developer) installation directory, "COPY_ASSIST.EXE" which MWB labels as a "Trojan.PasswordStealer". I went ahead and deleted that file. I did notice in the Scan Report from MWB that "Rootkits:" lists as "Disabled". I manually ran a custom scan for rootkits in MWB just now, and did not identify any threats. -ADWCleaner (found nothing). -Uninstalled and reinstalled Chrome, (couple days ago, no change). -HitmanPro (couple days ago found nothing). -Malwarebytes (today, as mentioned above, found nothing). -Farbar Recovery. This throws an error (attached image) on startup, but runs anyways. Logs are attached. FRST.txt Addition.txt Link to post Share on other sites More sharing options...
kevinf80 Posted April 18, 2017 ID:1118118 Share Posted April 18, 2017 Hello JC1 and welcome to Malwarebytes, My screen name is kevinf80, i`m here to help clean up your system. Make sure to run all scans from accounts with Administrator status, continue as follows please: Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good... Open Malwarebytes, select > "settings" > "protection tab" Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on.... Go back to "DashBoard" select the Blue "Scan Now" tab...... When the scan completes deal with any found entries... Then select "Export Summary" then "Text File (*.txt)" name that log and save , you can copy or attach that to your reply... Next, Download AdwCleaner by Xplode onto your Desktop. Double click on Adwcleaner.exe to run the tool. Click on the Scan in the Actions box Please wait fot the scan to finish.. When "Waiting for action.Please uncheck elements you want to keep" shows in top line.. Click on the Cleaning box. Next click OK on the "Closing Programs" pop up box. Click OK on the Information box & again OK to allow the necessary reboot After restart the AdwCleaner(C*)-Notepad log will appear, please copy/paste it in your next reply. Where * is the number relative to list of scans completed... Next, Please download Junkware Removal Tool to your desktop. Shut down your protection software now to avoid potential conflicts. (re-enable when done) Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator". The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log (JRT.txt) is saved to your desktop and will automatically open. Post the contents of JRT.txt into your next message. Next, Download Microsoft's " Malicious Software Removal Tool" and save direct to the desktop Ensure to get the correct version for your system.... 32 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en 64 Bit version:https://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=585D2BDE-367F-495E-94E7-6349F4EFFC74&displaylang=en Right click on the Tool, select “Run as Administrator” the tool will expand to the options Window In the "Scan Type" window, select Quick Scan Perform a scan and Click Finish when the scan is done. Retrieve the MSRT log as follows, and post it in your next reply: 1) Select the Windows key and R key together to open the "Run" function 2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:notepad c:\windows\debug\mrt.log The log will include log details for each time MSRT has run, we only need the most recent log by date and time.... Next, Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt under "Optional scan" Select scan, when done post the new logs. "FRST.txt" and "Addition.txt" Let me see those logs, also tell me if there are any remaining issues or concerns... Thank you, Kevin.... Link to post Share on other sites More sharing options...
JC1 Posted April 19, 2017 Author ID:1118277 Share Posted April 19, 2017 (edited) Thank you for the help. I have performed the process below. Unsure yet if the issue still exists as it comes/goes in spurts. Is there anything in the logs that implies something was found and cleared? MWB: Enabled "Rootkits" check. "Archives" check was already enabled. Ran scan. No threats found, nothing quarantined. Checked the report to confirm that everything was still enabled. Exported log as "1-BWB log.txt" Re-downloaded AdwCleaner from the link above. Ran scan. "AdwCleaner found no thread on your computer!" Did not get the message "Waiting for action......" Clicked "Clean". Clicked "OK" to "All programs will be closed....." Clicked "OK" at info box. Clicked "OK" to allow reboot. Received "ShellHelper.exe - Application Error" on shutdown. Image "ShutdownError.jpg" attached. Logged back in to Win7. AdwCleaner log "AdwCleaner[C0].txt" open on startup in Notepad. Started AdwCleaner, Clicked "Logfile" box. Today's log file titled "AdwCleaner[S2].txt" Downloaded and ran "Junkware Removal Tool" from the line provided above. Pressed any key when prompted. Log "JRT.txt" attached. Tool closed automatically when I closed the log file. Downloaded 64 bit version of "Microsoft® Windows® Malicious Software Removal Tool (KB890830) x64" from the link above. Chrome automatically downloaded to my Downloads folder, so I moved it to the desktop. It was the only file named "Windows-KB890830-x64-V5.47.exe" in the downloads folder and the date modified matched my download time. Realized I did not run the "Junkware Removal Tool" as administrator. Re-ran as admin. Pressed any key. Saved log as "JRT2.txt" Ran Malicious Software Removal Tool. Clicked "Next >". Quick scan already selected. Clicked "Next >" to run scan. Clicked "View detailed results of the scan." which showed a long list of "Not infected". Clicked "Finish". Log "mrt.txt" attached. Re-downloaded and ran Farbar. Received a very similar error on startup, attached as "FarbarError.png" Log files "FRST.txt" and "Addition.txt" attached. Of note: I normally have ports 4000 and 4001 forwarded on my router. This is a workaround for Multiwinia (game mentioned above) with a few players. I disabled that last night before posting the request for help and have not had issues since. I'm not convinced that was the root cause. *Not noted, but had to re-load Chrome to continue reading directions a few times during the process. Did not do so while any of the above requested programs were running. **Clicked yes to allow above mentioned programs to make changes to the computer as requested. 1-BWB log.txt Addition.txt AdwCleaner[C0].txt AdwCleaner[S2].txt FRST.txt JRT.txt JRT2.txt mrt.log Edited April 19, 2017 by JC1 Link to post Share on other sites More sharing options...
kevinf80 Posted April 19, 2017 ID:1118326 Share Posted April 19, 2017 Logs are not indicating any obvious malware or infection, the ERUNT alert is a gliche with FRST, usually a registry backup is copied on initial run using ERUNT. I`ve seen that reported before in 2015, there was no known reason. Can you post logs to show last 3 blocks by Malwarebytes... Open Malwarebytes, select > Reports > then checkmark (tick) most recent "Website Block" entry > then select "View Report" > "Export" > Text File (*.txt) name and save that file to Desktop or somewhere of your choice, attach to your reply... Thank you, Kevin... Link to post Share on other sites More sharing options...
JC1 Posted April 19, 2017 Author ID:1118522 Share Posted April 19, 2017 (edited) Issue is still present. I have attached "MWB most recent log.txt", "MWB2.txt" and "MWB3.txt" MWB most recent log.txt MWB2.txt MWB3.txt Edited April 19, 2017 by JC1 Link to post Share on other sites More sharing options...
kevinf80 Posted April 20, 2017 ID:1118613 Share Posted April 20, 2017 Thanks fror those logs, it would seem the problem is with Chrome browser itself, lets go for a clean install of Chrome and see if that helps... If your Chrome Bookmarks are important do this first: Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks..... Continue for a clean install: Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html Remove all synced data from Chrome go here: https://support.google.com/chrome/answer/6386691?hl=en-GB follow those instructions... It is essntial that any/all synced data is removed when the browser is hijacked or exploited in anyway... Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!! Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata) For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/ Install Google Chrome : Install Adblock Plus to Chrome: https://chrome.google.com/webstore/detail/adblock-plus/cfhdojbkjhnklbpkdaibdccddilifddb Install DrWeb Link Ant-virus Link Checker: https://chrome.google.com/webstore/detail/drweb-anti-virus-link-che/aleggpabliehgbeagmfhnodcijcmbonb?hl=en Does that help...? Thank you, Kevin Link to post Share on other sites More sharing options...
JC1 Posted April 21, 2017 Author ID:1118826 Share Posted April 21, 2017 Reset Chrome sync Uninstalled Chrome, including browsing data. Deleted folder in AppData\Local. Re-installed Chrome. Installed Adblock Plus extension from link above. Installed DrWeb Link.... extension from link above. I'll report back in a day or two if the issue is gone, or sooner if it recurs. Thank you again for the help. Link to post Share on other sites More sharing options...
kevinf80 Posted April 21, 2017 ID:1118849 Share Posted April 21, 2017 Yes please let me know what happens, good or bad.. If all is well we still need to clean up.... Thank you, Kevin.... Link to post Share on other sites More sharing options...
kevinf80 Posted April 29, 2017 ID:1120954 Share Posted April 29, 2017 What is happening JC1, if no remaining problems run the following to clean up... Download "Delfix by Xplode" and save it to your desktop. Or use the following if first link is down:"Delfix link mirror" If your security program alerts to Delfix either, accept the alert or turn your security off. Double Click to start the program. If you are using Vista or higher, please right-click and choose run as administrator Make Sure the following items are checked: Remove disinfection tools <----- this will remove tools we have used. Purge System Restore <--- this will remove all previous and possibly exploited restore points, a new point relative to system status at present will be created. Reset system settings <--- this will reset any system settings back to default that were changed either by us during cleansing or malware/infection Now click on "Run" and wait patiently until the tool has completed. The tool will create a log when it has completed. We don't need you to post this. Any remnant files/logs from tools we have used can be deleted… Next, Read the following links to fully understand PC Security and Best Practices, you may find them useful....Answers to Common Security Questions and best PracticesDo I need a Registry Cleaner? Take care and surf safe Kevin... Link to post Share on other sites More sharing options...
JC1 Posted April 29, 2017 Author ID:1120956 Share Posted April 29, 2017 I was going to wait until the end of the weekend to post, but so far no recurrence, so it looks like I'm in the clear. Will do the above as requested. Link to post Share on other sites More sharing options...
kevinf80 Posted April 29, 2017 ID:1120957 Share Posted April 29, 2017 Thanks for the update JC1, good to hear your system is OK... Regards, Kevin.. Link to post Share on other sites More sharing options...
exile360 Posted May 21, 2017 ID:1128607 Share Posted May 21, 2017 Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you. Link to post Share on other sites More sharing options...
Recommended Posts