Jump to content

Trojan on chrome.exe always come back


Go to solution Solved by Maurice Naggar,

Recommended Posts

Hello


Since few days each time I launch Chrome browser, malwarebytes shows me this :

 

Malwarebytes
www.malwarebytes.com

-Détails du journal-
Date de l'événement de protection: 08/08/2020
Heure de l'événement de protection: 14:56
Fichier journal: 9c5a44f6-d976-11ea-a8a5-4ccc6abd0add.json

-Informations du logiciel-
Version: 4.1.2.73
Version de composants: 1.0.1003
Version de pack de mise à jour: 1.0.28153
Licence: Premium

-Informations système-
Système d'exploitation: Windows 10 (Build 18362.959)
Processeur: x64
Système de fichiers: NTFS
Utilisateur: System

-Détails du site Web bloqué-
Site Web malveillant: 1
, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe, Bloqué, -1, -1, 0.0.0, ,

-Données du site Web-
Catégorie: Cheval de Troie
Domaine: nc-ass-vip.sdv.fr
Adresse IP: 212.95.74.75
Port: 80
Type: En sortie
Fichier: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

(end)

 

Can you help me please ?

Thanks you

 

 

malwarebytes.txt

Link to post
Share on other sites

  • Staff

***This is an automated reply***

Hi,

Thanks for posting in the Malwarebytes for Windows Help forum.

If you are having technical issues with our Windows product, please do the following:

Malwarebytes Support Tool - Advanced Options

This feature is designed for the following reasons:

  • For use when you are on the forums and need to provide logs for assistance
  • For use when you don't need or want to create a ticket with Malwarebytes
  • For use when you want to perform local troubleshooting on your own

How to use the Advanced Options:

Spoiler
  1. Download Malwarebytes Support Tool
  2. Double-click mb-support-X.X.X.XXXX.exe to run the program
    • You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
  3. Place a checkmark next to Accept License Agreement and click Next
  4. Navigate to the Advanced tab
  5. The Advanced menu page contains four categories:
    • Gather Logs: Collects troubleshooting information from the computer. As part of this process, Farbar Recovery Scan Tool (FRST) is run to perform a complete diagnosis. The information is saved to a file on the Desktop named mbst-grab-results.zip and can be added as an email attachment or uploaded to a forum post to assist with troubleshooting the issue at hand.
    • Clean: Performs an automated uninstallation of all Malwarebytes products installed to the computer and prompts to install the latest version of Malwarebytes for Windows afterwards. The Premium license key is backed up and reinstated. All user configurations and other data are removed. This process requires a reboot.
    •  Repair System: Includes various system-related repairs in case a Windows service is not functioning correctly that Malwarebytes for Windows is dependent on. It is not recommended to use any Repair System options unless instructed by a Malwarebytes Support agent.
    • Anonymously help the community by providing usage and threat statistics: Unchecking this option will prevent Malwarebytes Support Tool from sending anonymous telemetry data on usage of the program.
  6. To provide logs for review click the Gather Logs button
  7. Upon completion, click OK
  8. A file named mbst-grab-results.zip will be saved to your Desktop
  9. Please attach the file in your next reply.
  10. To uninstall all Malwarebytes Products, click the Clean button.
  11. Click the Yes button to proceed. 
  12. Save all your work and click OK when you are ready to reboot.
  13. After the reboot, you will have the option to re-install the latest version of Malwarebytes for Windows.
  14. Select Yes to install Malwarebytes.
  15. Malwarebytes for Windows will open once the installation completes successfully.

Screenshots:

Spoiler
 
 
 
 
Spoiler

 

 

01.png

02.png

03.png

04.png

05.png

06.png

 

 

If you are having licensing issues, please do the following: 

Spoiler

For any of these issues:

  • Renewals
  • Refunds (including double billing)
  • Cancellations
  • Update Billing Info
  • Multiple Transactions
  • Consumer Purchases
  • Transaction Receipt

Please contact our support team at https://support.malwarebytes.com/hc/en-us/requests/new to get help

If you need help looking up your license details, please head here: Find my premium license key

 

 

Thanks in advance for your patience.

-The Malwarebytes Forum Team

Link to post
Share on other sites

Greetings,

I'm sorry you're having trouble, but we'll do our best to help.  To begin, please follow the instructions in this topic then create a new topic in our malware removal area by clicking here and a malware removal specialist will guide you in checking and cleaning your system of any threats.

I hope that the issue is resolved quickly, and if there is anything else we might help with please let us know.

Thanks

Link to post
Share on other sites

The "block" message does indicate that the malwarebytes real-time web protection is keeping your machine safe from harm.

The display of the message should not be assumed to mean that there is a actual infection.

Any attempt to connect to nc-ass-vip.sdv.fr  was stopped.

Link to post
Share on other sites

@TheChris76    I do not see that you have any other post other than this thread.

Tell me,  from which launch point do you start the Chrome browser ?

It may help to know that.  Is it from some shortcut link on the taskbar ?   from a shortcut link on the Desktop ?  or else what do you use to start Chrome ?

Link to post
Share on other sites

Hello @Maurice Naggar I did not found the time to create a new post at the moment.

I was launching Chrome from the taskbar or the shortcut link on the desktop.

I saw the shortcut was modified, a line was added in the "target", I removed it.

I did a Adwcleaner

I uninstalled Chrome browser using revo.

I uninstalled Brave browser too.

Each time I install and launch chrome,  Malwarebyte premium shows me the alert.

-Données du site Web-
Catégorie: Cheval de Troie
Domaine: nc-ass-vip.sdv.fr
Adresse IP: 212.95.74.75

Port: 80
Type: En sortie
Fichier: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

So I should create a new post ?

Excuse my english , it is not my native language.

Link to post
Share on other sites

Hello @TheChris76  

I have moved your posts about the Block issue to the sub-forum for malware-removal help.

I will work with you one on one.   Just do not make any more changes on your own.   Kindly wait for my reply.

If you need a translation online  ( when I send you a reply) you can use Google translate   https://translate.google.com

Allow me a few minutes.

Link to post
Share on other sites

  • Solution

Hello @TheChris76

This topic is only for you.   Any advice or suggestions or custom fixes are not intended for anyone else.

My name is Maurice. I will be helping and guiding you, going forward on this case.
Let me know what first name you prefer to go by.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

There are 2 suspicious shortcut links for Chrome.  One is on the Desktop.  The other is under c:\users\<user>\appdata

Also, the Search preference for Chrome seems to be live (dot)  kuaishou (dot) com

They will be removed because they have unprintable / unrecognized characters in their names + in addition, they refer to chrome-proxy/

 

You will be able to start Chrome from the Windows menu.

It is not the case that this machine has an infection.  It is just one specific site that is being stopped.

.

Set the Windows 10 to show all hidden folders.   Use the Option Two as in this article at Tenforums

https://www.tenforums.com/tutorials/9168-show-hidden-files-folders-drives-windows-10-a.html

.

It seems to me that you have saved the tool named FRST64   on the folder  on drive J        J:\04 logiciels\adwcleaner 07-08-2020

That is important information to remember.

 

The system will be rebooted after the script has run.

.

This custom script is for  TheChris76  only / for this    machine only.

 
Close and save any open work files before starting this procedure.    This will do a Windows Restart.

I am sending a    custom Fix script which is going to be used by the FRST64  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the  J:\04 logiciels\adwcleaner 07-08-2020  folder

The tool named FRST64 .exe   tool    is already on that folder
Start the Windows Explorer and then, to the that folder.


RIGHT click on  FRST64     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   


Please know this will do a Windows Restart.   Just let it do its thing.  

 

 

Fixlist.txt

Link to post
Share on other sites

Bravo.   Good run.

Please do a new Scan on this machine, using Malwarebytes for Windows.

To run a Threat Scan, open Malwarebytes for Windows and click the blue Scan button.

Have patience during the run.

When the scan phase is done  ( if anything is found ), be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.

See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

also,   Let me know the situation about the original situation with Chrome.

Sincerely.

Link to post
Share on other sites

You are very welcome.   I am glad to have helped you.     😎    🙂

I am marking the case for closure.   First, a few cleanups.

To remove the FRST64  tool & its work files, do this.  Go to your  J:\04 logiciels\adwcleaner 07-08-2020  folder folder.  Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup process.

Delete mbst-grab-results.zip   on the desktop

Any other download file I had you save, you may delete.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.