MB3 blocked Chrome from connecting to coin-hive.com (Hoverzoom extension ?)

[thedriver]

I've just bought myself a new laptop because my last was running so slow, installed everything and after signing in to Chrome got a notification from MalwareBytes anti-malware that it's blocked a website connection to coin-hive from Chrome.

Here's the report from MalwareBytes:
-Log Details-
Protection Event Date: 16/08/2018
Protection Event Time: 18:37
Log File: a751317a-a12f-11e8-96bb-106530112b02.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.391
Update Package Version: 1.0.6367
Licence: Premium

-System Information-
OS: Windows 10 (Build 17134.191)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, , Blocked, [-1], [-1],0.0.0

-Website Data-
Category: Malware
Domain: coin-hive.com
IP Address: 217.182.164.10
Port: [56571]
Type: Outbound
File: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

I received two more within the next minute and then another about 35 mins later.

Subsequent scans with MB3 and BitDefender find nothing though. So I'm guessing it's a Chrome extension as I hadn't really browsed anything at that point. I ran the Farbar Recovery Scan Tool and couldn't see any specific or obvious problems (see attached FRST and Additions files.)
I subsequently ran RKill so I could MB3 again (both RKill and MB3 logs attached), but still nothing of any real interest. The rubyw.exe files found by RKill were a little concerning, but I also thought they may be associated with Private Internet Access.
I ran ADWCleaner though and got a very different result - see attached ADWCleaner S00 log.
ADWCleaner detects a Chrome extension: nonjdcjchghhkdoolnlbekcfllmednbl
I can't find this in my extensions though. I run a Google search and find it is Hoverzoom, which I've previously used, and has apparently been pulled from the Chrome Web Store because of malware.
1. Why didn't MB3 stop and prevent this on either this computer or my previous computer?
2. How do I clean it effectively?  After running ADWCleaner I opt for Clean and Repair (see attached clean C00 log), then Restart, but on reboot I'm getting the same symptoms.And sure enough RKill finds the rubyw files again and ADWCleaner finds Hoverzoom again (see attached ADWCleaner S01 log)..
 

Addition.txt

FRST.txt

Rkill.txt

MB3_ThreatScan.txt

AdwCleaner[S00].txt

AdwCleaner[C00].txt

AdwCleaner[S01].txt

[thedriver]

I've attached a pic of ADWcleaner scan and log and MalwareBytes (Premium) scan.
ADWCleaner clearly shows the detections (which are not cleaned after a reboot), yet MB3 doesn't even detect them (nor did it stop them when I initially gt infected).

I've already read the sticky about "Chrome Secure Preferences detection always comes back", but that doesn't apply.
A: Chrome isn't restarted after before running a second scan with ADWCleaner (after the first scan/clean/reboot).
B: I have Chrome sync enabled, but this is an app that has been removed from the Chrome web store because it was infected, so it can't sync anyway.
C: I don't have other devices being powered on that I sync Chrome with anyway.
D: The extension ID  for the detection in ADWCleaner (nonjdcjchghhkdoolnlbekcfllmednbl) doesn't exist in my Chrome appdata amywhere.

[thedriver]

I seem to have fixed this on my own after using a range of tools and Windows safe mode.
 

[thedriver]

6 hours ago, thedriver said:

I seem to have fixed this on my own after using a range of tools and Windows safe mode.
 

I was wrong - I have just been alerted by MalwareBytes again that it has blocked a connection from Chrome to coin-hive.com and ADWCleaner is again showing the same three detected items. Can I please have some assistance?

[AdvancedSetup]

Hello @thedriver and

Let me have you follow the directions from the following topic and see if that helps.

 

Thanks

Ron

 

[thedriver]

Thanks Ron,

I followed that (even though I initially said in my post I don't believe it applies to my situation).
It appeared to clean, however on launching Chrome, the threat has come back.
As noted MalwareBytes ONLY detects the outgoing connection to coin-hive.com, nothing more. MB3 does NOT detect any malware on my system when I run a Threat Scan.
 

[thedriver]

Attached MB3 and ADWCleaner scan logs

 

AdwCleaner[S13].txt

mb3log-2018.08.23-09.57.txt

[Aura]

Hi thedriver

I'll be assisting you while Ron is out on vacation. Give me some time to review your logs and get back at you.

[Aura]

Do you get notifications from Malwarebytes when you use another web browser, such as Internet Explorer or Mozilla Firefox?

[thedriver]

Thanks Aura, very much appreciated.

I have switched to using FIrefox for the moment, but haven't received the same prompts from MalwareBytes, 

[AdvancedSetup]

Thank you @Aura for helping out while I was away. Sadly my vacation got canceled so I'm back now.

Okay @thedriver if the alerts don't happen in other browsers it would really point to settings in Chrome that are somehow not getting cleaned up.

Let me have you try this other method of cleaning Chrome and let me know if that fixes it or not.

 

 

Chrome
Reset Chrome back to defaults to completely clear out issues with Chrome.

• Open Chrome and at the top right, click  More tools  Extensions
• Write down the list of Extensions installed.
• Next, go to >> Google Sync << and sign into your account. Make sure you know your password as this will clear it from the browser.
• Scroll down until you see the   "reset sync" button to clear your data from the server and remove your passphrase.
• Now, close all Chrome windows. Chrome cannot be running for the next step. If needed, print this information or use another browser to read the information.
• Press the Windows key + R at the same time, to bring up the run dialog box.
   
  • 
     
• Type in (or copy/paste) the following and press Enter:     %localappdata%\Google\Chrome\User Data\Default\

1. Press Ctrl + A to select all the files and folders.
2. Hold down Ctrl + A and click once on the files "Bookmarks" and "Bookmarks.bak". This will unselect them.
3. With all the files selected (except for your Bookmarks), press the Delete key and click Yes to delete the files and folders.
4. Example of all files and folders selected, except Bookmarks

 

Restart your computer now and make sure there are no longer any redirects or other browser issues or alerts from Malwarebytes and let me know the results

Thanks

Ron

 

 

[thedriver]

Thanks @AdvancedSetup

I've followed those steps (although I didn't delete my favicons and Custom Dictionary files as well). Just restarting now - I'll come back when I have confirmed it is working or not.

[AdvancedSetup]

Okay, sounds good. I should be around tonight a few more hours. Normally the first method cleans Chrome. If that doesn't work then I use this method which seems to fix most. I have had a few though where we ended up having to manually remove everything related to all Google software in order to fix it. Hopefully this fix here works for you and we don't have to resort to a full removal.

Cheers

Ron

 

[thedriver]

@AdvancedSetup

Thankssssss! 

That appears to be a winner. No more notifications from MB3. 
Is there any way to offer advice why MB3 didn't block this in the first place? I've been using MalwareBytes Premium for years now and I'm really disappointed that it didn't prevent this.

[AdvancedSetup]

It's because it's not actually a typical type of threat. In most cases lately these changes are coming from simple javascript changes often by ads on websites. In many, or most cases the site hosting the Ad isn't aware that they have a bad Ad on the site. Some changes come from extensions that have been compromised. These type of things are changes to browser that are in some cases normal and allowed. To help prevent it in the future if you're going to use Chrome I would highly suggest you get a good Ad-Blocker and Script Blocker. It does impact how sites work but also prevents almost all of these type of attacks.

Popular Ad blockers for Chrome (found on the Chrome Store)
AdBlock, AdBlock Plus, uBlock Origin

Popular Script Blockers
ScriptSafe, ScriptBlock, No-Script Suite Lite

 

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread.

Thanks