Jump to content

Multiple blocks for chrome accessing fastsearch.me, threat scan negative


Recommended Posts

Hello Tromador and welcome to Malwarebytes,

Unfortunately after a major software update the forum is suffering technical issues, one being attached logs cannot be opened. See if you can use the instructions at the following link to reset Chrome:

https://forums.malwarebytes.com/topic/258886-chrome-secure-preferences-detection-always-returns/

Thank you,

Kevin

Link to post
Share on other sites

Thank you for the advice, I will try that next time I am at my PC. 

I also would like to advise that I can download and open the attached logs on my android tablet no problem, though if the issues persists, I will copy/paste them in full - not ideal, but if needs must :)

Link to post
Share on other sites

Hiya Tromador,

The issue with attachments has been corrected, i`ll be checking them very shortly. The link I gave to correct Chrome will still be worth following..

Thank you,

Kevin..

Link to post
Share on other sites
On 9/4/2020 at 12:31 AM, kevinf80 said:

Any progress..?

The problem went away for 24 hours (or I wasn't using chrome enough to notice) but was definitely happening again today. I've run the desync/resync procedure suggested and the subsequent scan was again negative. If the problem continues, I will post for further advice.

Link to post
Share on other sites
4 hours ago, kevinf80 said:

If the issue returns I will give instructions to make a clean install of Chrome, occasionally that is the only option that works....

The issue continues - 

All we've tried is resyncing against cloud data which is generally used to stop a recurring detected problem, resyncing data which may be infected, isn't going to cure anything. Indeed, if I do a clean un/reinstall of chrome, it's possible that it will just download something back down from the cloud when I log my Google account back in. To be 100% sure, I'll need a procedure for cleaning my Google profile and also go through a stack of other devices to make sure they aren't storing that profile information either. 

That said, is there no mileage in doing some digging, clearly something has infected Chrome, something which MB is unable to detect. A clean uninstall of Chrome might well cure the problem, but we learn nothing. What we have appears to be something new, would it not be helpful to MB in general if we found the problem. I don't feel entirely comfortable with leaving it for someone else to get infected via the same vector and something more serious than MB blocking its outbound.

Link to post
Share on other sites

Good question. I have no idea. Other than chrome I only have edge/ie installed, no idea if those would be a good metric or not. In any case, I'll run edge and let it sit in the background whilst I am doing other things. Bear in mind that with Chrome the issue is intermittent (nothing today for example) so please be patient for an update. I'll post in due course.

Link to post
Share on other sites

While you make the test with Edge can you also run the following :-

user posted imageScan with Autoruns

Please download Sysinternals Autoruns from the following link: https://live.sysinternals.com/autoruns.exe save it to your desktop.

Note: If using Windows Vista, Windows 7, Windows 8/8.1 or Windows 10 then you also need to do the following:
 
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK
     
  • Double-click Autoruns.exe to run it.
  • Once it starts, please press the Esc key on your keyboard.
  • Now that scanning is stopped, click on the Options button at the top of the program and verify that the following are checked, if they are unchecked, check them:

    Hide empty locations
    Hide Windows entries

     
  • Click on the Options button at the top of the program and select Scan Options... then in the Autoruns Scan Options dialog enable/check the following two options:

    Verify code signatures
    Check VirusTotal.com

     
  • Once that's done click the Rescan button at the bottom of the Autoruns Scan Options dialog and this will start the scan again, this time let it finish.
  • When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the file to your desktop and close Autoruns.
  • Right click on the file on your desktop that you just saved and hover your mouse over Send To and select Compressed (zipped) Folder
  • Attach the ZIP folder you just created to your next reply

 

Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks

 

Link to post
Share on other sites

I've not yet seen this happen with Edge, though given the intermittent nature of the issue with Chrome it's hard to tell if that's conclusive.

I have also uninstalled and reinstalled Chrome, including deleting services and daily tasks, I'm not sure what your procedure is, but I'm fairly sure I cleaned it completely.

I'm attaching the autoruns log as requested. As far as I can tell it's not found anything untoward.

ORAC.zip

Link to post
Share on other sites

Sounds like you have the exact same issue as me. On the one hand it's nice to see the issue confirmed by another user, on the other, I'm sorry to hear you have this problem too.

It's also useful to hear your experience as further evidence to rule out the problem existing in other browsers.

Like you I've not deliberately installed any fastsearch software, nor have any appearing in my programs.

It might help the staff if you followed the instructions in this link and scan with autoruns as in the post from Keith above, just possibly they show something my logs don't.

 

Link to post
Share on other sites

Hiya Tromador,

One last search....

Run FRST one more time:

Type the following in the edit box after "Search:".

*fastsearch*

Click Search Registry button and post the log it makes (SearchReg.txt) to your reply.

(make sure to include the asterisks)


Thank you,

Kevin...

Edited by kevinf80
Link to post
Share on other sites

I'm afraid it doesn't say much:

 

Quote

Farbar Recovery Scan Tool (x64) Version: 16-09-2020
Ran by Tromador (18-09-2020 17:50:12)
Running from D:\Download
Boot Mode: Normal

================== Search Registry: "fastsearch" ===========


====== End of Search ======

 

Link to post
Share on other sites
Make clean install of Google Chrome, see if that clears the issue...

If your Chrome Bookmarks are important do this first:

Go to this link: http://www.wikihow.com/Export-Bookmarks-from-Chrome follow the instructions and Export your Bookmarks from Chrome, save to your Desktop or similar. Note the instructions can also be used to Import the bookmarks.....

For your Passwords go here:

https://www.intowindows.com/how-to-backup-saved-passwords-in-google-chrome-browser/

Continue for a clean install:

Download Chrome installer and save to install later: https://www.google.com/intl/en_uk/chrome/browser/desktop/index.html https://www.google.com/intl/en_usa/chrome/browser/desktop/index.html

Next,

Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...

In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"

A new window will open, scroll down to and select "Reset Sync" that will clear synced data from Google Server...

Continue to next step to completely Uninstall Chrome....

Next.

Uninstall Chrome: https://support.google.com/chrome/answer/95319?hl=en-GB follow those instructions, ensure the option to "Also delete your browsing data" is selected. <<--- Very important!!

Navigate to C:\Users\Your user name\Appdata\Local from that folder delete the folder named Google (you will need to show hidden files/folders to see the folder Appdata)

For XP that will be My Computer > C:\ Documents and Settings\Your User Name\Application Data\Roaming

How to show hidden files and folders for windows: http://www.howtogeek.com/howto/windows-vista/show-hidden-files-and-folders-in-windows-vista/

Next,

Install Google Chrome :

Next,

Import your Bookmarks... (instructions in the first step)

Import Passwords... (instructions in second step above)

Next,

Install Malwarebytes Browser Extension (Free) https://chrome.google.com/webstore/detail/malwarebytes-browser-exte/ihcjicgdanjaechkgeegckofjjedodee

Next,

Install uBlock Origin for Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=en

Does that help...?

 

Link to post
Share on other sites
11 minutes ago, kevinf80 said:
Open Chrome and sign into your account, open a new tab and type or copy paste chrome://settings/syncSetup hit enter...

In the new window that opens "Sync everthing" will probably be selected, scroll down to and select "Managed sync data on Google Dashboard"

 

For reference, this screen was somewhat different. (Chrome Version 85.0.4183.102 (Official Build) (64-bit))
It has a separate "manage what you sync" screen, rather than a "Sync Everything" checkbox.
To reach the review page, the correct button/link is entitled "Review your synced data"

I also manually removed the google update service and google update task user jobs.

I'll let you know if I get further detections.

  • Like 1
Link to post
Share on other sites

For your reference, screenshot of chrome://settings/syncSetup attached, I hope that is useful.

In addition to the extensions you mentioned, I have installed LastPass, Facebook Purity and Duck Duck Go Privacy Essentials.

syncSetup.png

  • Like 1
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.