ADIOFlo Posted November 8, 2022 ID:1541110 Share Posted November 8, 2022 I use Chrome for work due to the many browser extensions I use to make my work more efficient and other browsers don't have acceptable extensions as alternatives that I know of. I have done a lot of research on these hijackers and think it is most likely that hijackers purchased an extension that I was already using for a long time and then infected my browser. The reason I say this is that I am VERY careful about installation of software (not accepting additional offers to install add-on software of apps that aren't part of original software.) I have also read on a very extensive Reddit thread a list of extensions that are known to have been purchased and then used as a way to infect users computers. An extension that I am suspicious of is one of the "New Tab" extensions, but I had used it for years without this issue and only developed the issue recently. I have disabled/removed the extension but now I need to deal with what is leftover on my system. On my Chrome browser, I use 2 different Google profiles (accounts) ... I only experience this problem on one of the profiles. The other does NOT have this problem. I have run Malwarebytes 2 times in attempt to fix this. The first run I found this with Malwarebytes ... Hijack.Host in C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS That item is now in quarantine. The second run of Malwarebytes found no additional items. Another detail is that I can't access chrome://extensions/ while using the infected profile. I can access chrome://extensions/ using my other profile. When I attempt to navigate to chrome://extensions/ using the infected Chrome profile it diverts to chrome://settings every time. Would you be willing to help me? I have the reports from both Malwarebytes and the FRST attached to post. Thank you very much. 2022-11-05_Malwarebytes 1st run_HIJACKdotHOST.txt 2022-11-05_Malwarebytes 2nd run_NONE FOUND.txt 2022-11-06_Malwarebytes report_NONE FOUND.txt 2022-11-07_Malwarebytes report_HIJACKdotHOST.txt 2022-11-08_Addition.txt 2022-11-08_FRST.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 8, 2022 ID:1541142 Share Posted November 8, 2022 Hello @ADIOFlo This pc seems to have Spybot Anti-Beacon from Safer-Networking Ltd. ( the makers of Spybot - Search & Destroy. And the Hosts file seems to report having 15657 plus-some lines. It would be of some interest to see whether having gotten the super-huge Hosts file whether it included blocks on 'telemetry'. That would account for what looks like a false-positive from Malwarebytes about Hosts. As to chrome://extensions/ that is a different matter. Allow me some time to look closer onto the Farbar FRST reports for this machine. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 8, 2022 ID:1541146 Share Posted November 8, 2022 This Windows seems to report 2 two-many "antivirus" applications. AV: Spybot - Search and Destroy (Enabled - Up to date) {F77C7796-45C4-531E-0DAE-B4A8229B11C8} AV: Webroot SecureAnywhere (Enabled - Up to date) {EA22F846-E33A-0128-9418-185509C86920} AV: Kaspersky Total Security (Enabled) Which one of these should be the "ONE" to be the single monitor ? Which one of those is paid-for and has a current license? Beyond that, make this one adjustment for Malwarebytes trial on this box. Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center Click the Security Tab. Scroll down to "Windows Security Center" Click the selection to the left for the line "Always register Malwarebytes in the Windows Security Center". { We want that to be set as Off .... be sure that line's radio-button selection is all the way to the Left. thanks. } This will not affect any real-time protection of the trial Malwarebytes for Windows 😃. Close Malwarebytes. > Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 8, 2022 ID:1541156 Share Posted November 8, 2022 I am not seeing indications of "malware" after a review of the Farbar FRST. However, as to Chrome, I see that this Chrome has a very HUGE number of browser extensions. I do notice that this pc seems to have KASPERSKY Total Security active & seemingly the supposed "resident antivirus monitor". It seems Webroot Secureanywhere is no longer installed here. The following custom-script is just intended to check the system using Windows' SFC & DISM. To clear the browser cache area for EDGE, Chrome & Firefox. Potentially a quick scan with MS Defender. This machine seems to have Spybot Anti-Beacon, which is likely the cause to trigger a false alarm on Hosts by Malwarebytes, due to its large entry population on HOSTS. This custom script is for ADIOFlo machine only / for this machine only. Please save the (attached file named) FIXLIST.txt to the Downloads folder Fixlist.txt <<< - - - - - Please be sure to Close any open work files, documents, any apps you started yourself before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app. We will use FRST64.exe on the Downloads folder {C:\Users\Alex\Downloads\FRST64.exe } to run a custom script . The system will be rebooted after the script has run. Start the Windows Explorer and then, go to the Downloads folder. RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run. If the tool warns you the version is outdated, please download and run the updated version. IF Windows prompts you about running this, select YES to allow it to proceed. IF you get a block message from Windows about this tool...... click line More info information on that screen and click button Run anyway on next screen. on the FRST window: Click the Fix button just once, and wait. PLEASE have patience when this starts. You will see a green progress bar start. Lots of patience. Please attach the Fixlog.txt with your next reply. Link to post Share on other sites More sharing options...
ADIOFlo Posted November 9, 2022 Author ID:1541224 Share Posted November 9, 2022 Quote This Windows seems to report 2 two-many "antivirus" applications. AV: Spybot - Search and Destroy (Enabled - Up to date) {F77C7796-45C4-531E-0DAE-B4A8229B11C8} AV: Webroot SecureAnywhere (Enabled - Up to date) {EA22F846-E33A-0128-9418-185509C86920} AV: Kaspersky Total Security (Enabled) Which one of these should be the "ONE" to be the single monitor ? Which one of those is paid-for and has a current license? The active, paid-for current license is Kaspersky. For the past 2 years I had used the Webroot, but just recently noticed that it had expired so I switched to Kaspersky. I was not aware that Spybot purpose overlapped so greatly with Webroot or Kaspersky. I can remove Spybot if needed. I've looked in my apps/programs installed on machine and I don't see Webroot ... is there somewhere else I need to look to remove something associated with Webroot? I have made the adjustment to Malwarebytes with regard to NOT registering Malwarebytes with Windows Security Center as you have suggested in the quote below. I plan to upgrade to the paid version of Malwarebytes. 18 hours ago, Maurice Naggar said: Beyond that, make this one adjustment for Malwarebytes trial on this box. I will execute the instructions from your 3rd message now and reply ASAP with the Fixlog.txt file. Thank you very much for your assistance. Also, if I can get into the chrome://extensions menu I plan to remove many of the extensions, but I have been unable to do so due to that redirection issue that I mentioned where navigation to extensions results in landing on the general settings menu (i.e. chrome://extensions >> chrome://settings). Link to post Share on other sites More sharing options...
ADIOFlo Posted November 9, 2022 Author ID:1541227 Share Posted November 9, 2022 Here is the Fixlog.txt file for your review. thank you! Fixlog.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 9, 2022 ID:1541253 Share Posted November 9, 2022 Thank you. That is a good run. How is the situation at this point on this system ? I also would like you to do a visual check on Windows In the search box on the taskbar, type security and maintenance and then selectSecurity and Maintenance from the menu. Do a good review of the statuses of Action Center. Link to post Share on other sites More sharing options...
ADIOFlo Posted November 9, 2022 Author ID:1541264 Share Posted November 9, 2022 Well it seemed like for a while after initially running Malwarebytes and quarantining the Hijack.Host file that my Google search worked normally. (I actually need the Google search so that I can research my marketing clients SEO and help them create strategies for organic placement within the .) The part of the Google search that is important to my business and clients is that when a Google user types in a question, Google returns one top search result and then there is the "answers" accordian-style drop-down box that appears next. I help clients appear in that box and if i cant search through actual Google and see that box then I can't do my research and strategies appropriately. After running Malwarebytes this past Saturday night and Sunday, some of my searches returned properly through Google, but it appears as though the hijack has reestablished itself and is again hijacking my browser. Today when I run a search for a random question in the browser's url bar, I return a normal Google search initially (i can see the accordian "answers" box for a few seconds) but within a few seconds it changes my screen to not the standard Google format and I'm assuming it is the hijackers search made to look like a Google search to the untrained eye. Then when I run a search in the search bar that lies within the "hijacked" webpage itself I get the charmsearching.com forward hijack and redirected to Bing. I'm going to add some screenshots help communicate this. I also still have the issue where chrome://extensions quickly redirects to chrome://settings. I also notice that I only have this problem when using one of my 2 Chrome user profiles. The other one that I use works normally without hijack. Thanks again! I really appreciate your expertise on this. The 3rd attachment is what I see when I select Security and Maintenance for your review and guidance. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 9, 2022 Solution ID:1541268 Share Posted November 9, 2022 What you are re-stating is that one particular Profile on the Chrome browser has issues of redirection. But your other profile is ok. In any event, checkout and do as suggested in Chrome troubleshooting posting by AdvancedSetup https://forums.malwarebytes.com/topic/258938-resetting-google-chrome-to-clear-unexpected-issues/#comment-1375917 Link to post Share on other sites More sharing options...
ADIOFlo Posted November 11, 2022 Author ID:1541436 Share Posted November 11, 2022 I will try this and report in a post. I'll save a few bookmarks and note a few extensions that I want to keep and then do this. Link to post Share on other sites More sharing options...
ADIOFlo Posted December 2, 2022 Author ID:1544079 Share Posted December 2, 2022 I think this was successful. I saved my bookmarks and then preformed the reset of the specific Chrome profile. Search is no longer being redirected to unwanted search provider. Thank you. Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 2, 2022 ID:1544138 Share Posted December 2, 2022 I am glad to have worked with you. We can proceed with cleanup of tools we used. To remove the FRST64 tool & its work files, do this. Go to your Downloads folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to UNINSTALL.exe . Then run that ( double click on it) to begin the cleanup process. Any other download file I had you download, you may delete. Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. I am marking this case for closure. I wish you all the best. Stay safe. Sincerely. Maurice Link to post Share on other sites More sharing options...
Maurice Naggar Posted December 2, 2022 ID:1544139 Share Posted December 2, 2022 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Please review the following to help you better protect your computer and privacy Tips to help protect from infection Thank you Link to post Share on other sites More sharing options...
Recommended Posts