Jump to content

MB3 blocked Chrome from connecting to coin-hive.com (Hoverzoom extension ?)

Recommended Posts

I've just bought myself a new laptop because my last was running so slow, installed everything and after signing in to Chrome got a notification from MalwareBytes anti-malware that it's blocked a website connection to coin-hive from Chrome.

Here's the report from MalwareBytes:
-Log Details-
Protection Event Date: 16/08/2018
Protection Event Time: 18:37
Log File: a751317a-a12f-11e8-96bb-106530112b02.json
Administrator: Yes

-Software Information-
Components Version: 1.0.391
Update Package Version: 1.0.6367
Licence: Premium

-System Information-
OS: Windows 10 (Build 17134.191)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Malware
Domain: coin-hive.com
IP Address:
Port: [56571]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

I received two more within the next minute and then another about 35 mins later.

Subsequent scans with MB3 and BitDefender find nothing though. So I'm guessing it's a Chrome extension as I hadn't really browsed anything at that point. I ran the Farbar Recovery Scan Tool and couldn't see any specific or obvious problems (see attached FRST and Additions files.)
I subsequently ran RKill so I could MB3 again (both RKill and MB3 logs attached), but still nothing of any real interest. The rubyw.exe files found by RKill were a little concerning, but I also thought they may be associated with Private Internet Access.
I ran ADWCleaner though and got a very different result - see attached ADWCleaner S00 log.
ADWCleaner detects a Chrome extension: nonjdcjchghhkdoolnlbekcfllmednbl
I can't find this in my extensions though. I run a Google search and find it is Hoverzoom, which I've previously used, and has apparently been pulled from the Chrome Web Store because of malware.
1. Why didn't MB3 stop and prevent this on either this computer or my previous computer?
2. How do I clean it effectively?  After running ADWCleaner I opt for Clean and Repair (see attached clean C00 log), then Restart, but on reboot I'm getting the same symptoms.And sure enough RKill finds the rubyw files again and ADWCleaner finds Hoverzoom again (see attached ADWCleaner S01 log)..








Link to post
Share on other sites

I've attached a pic of ADWcleaner scan and log and MalwareBytes (Premium) scan.
ADWCleaner clearly shows the detections (which are not cleaned after a reboot), yet MB3 doesn't even detect them (nor did it stop them when I initially gt infected).

I've already read the sticky about "Chrome Secure Preferences detection always comes back", but that doesn't apply.
A: Chrome isn't restarted after before running a second scan with ADWCleaner (after the first scan/clean/reboot).
B: I have Chrome sync enabled, but this is an app that has been removed from the Chrome web store because it was infected, so it can't sync anyway.
C: I don't have other devices being powered on that I sync Chrome with anyway.
D: The extension ID  for the detection in ADWCleaner (nonjdcjchghhkdoolnlbekcfllmednbl) doesn't exist in my Chrome appdata amywhere.


Link to post
Share on other sites

6 hours ago, thedriver said:

I seem to have fixed this on my own after using a range of tools and Windows safe mode.

I was wrong - I have just been alerted by MalwareBytes again that it has blocked a connection from Chrome to coin-hive.com and ADWCleaner is again showing the same three detected items. Can I please have some assistance?

Link to post
Share on other sites

Thanks Ron,

I followed that (even though I initially said in my post I don't believe it applies to my situation).
It appeared to clean, however on launching Chrome, the threat has come back.
As noted MalwareBytes ONLY detects the outgoing connection to coin-hive.com, nothing more. MB3 does NOT detect any malware on my system when I run a Threat Scan.

Link to post
Share on other sites

  • Root Admin

Thank you @Aura for helping out while I was away. Sadly my vacation got canceled so I'm back now.

Okay @thedriver if the alerts don't happen in other browsers it would really point to settings in Chrome that are somehow not getting cleaned up.

Let me have you try this other method of cleaning Chrome and let me know if that fixes it or not.



Reset Chrome back to defaults to completely clear out issues with Chrome.

  • Open Chrome and at the top right, click ellipse.png.2829aeeb2aea006bc956de077091and then More tools and then Extensions
  • Write down the list of Extensions installed.
  • Next, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
  • Scroll down until you see the  reset_chrome_sync.png "reset sync" button to clear your data from the server and remove your passphrase.
  • Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
  • Press the Windows key + R at the same time, to bring up the run dialog box.
    • run_command.png
  • Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\
  1. Press Ctrl + A to select all the files and folders.
  2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
  3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
  4. Example of all files and folders selected, except Bookmarks



Restart your computer now and make sure there are no longer any redirects or other browser issues or alerts from Malwarebytes and let me know the results





Link to post
Share on other sites

  • Root Admin

Okay, sounds good. I should be around tonight a few more hours. Normally the first method cleans Chrome. If that doesn't work then I use this method which seems to fix most. I have had a few though where we ended up having to manually remove everything related to all Google software in order to fix it. Hopefully this fix here works for you and we don't have to resort to a full removal.




Link to post
Share on other sites

  • Root Admin

It's because it's not actually a typical type of threat. In most cases lately these changes are coming from simple javascript changes often by ads on websites. In many, or most cases the site hosting the Ad isn't aware that they have a bad Ad on the site. Some changes come from extensions that have been compromised. These type of things are changes to browser that are in some cases normal and allowed. To help prevent it in the future if you're going to use Chrome I would highly suggest you get a good Ad-Blocker and Script Blocker. It does impact how sites work but also prevents almost all of these type of attacks.

Popular Ad blockers for Chrome (found on the Chrome Store)
AdBlock, AdBlock Plus, uBlock Origin

Popular Script Blockers
ScriptSafe, ScriptBlock, No-Script Suite Lite


Link to post
Share on other sites

  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.