Jump to content

Possible Keylogger in My Browser


Recommended Posts

I built a new W11 computer in October in response to feedback here that I'd either have to reformat or get a new computer.

Corsair iCUE 5000x RGB Mid-Tower Case

ASUS Tuf Gaming H670 Pro Wifi D4 mobo

Intel i7-12700k CPU

XFX Speedster Swift 319 Radeon 3080 XT GC

Patriot Viper Steel 2x32GB RAM

Noctua CPU cooler & case fans

Corsair PSU & case fans

Team Group T-Create Classic 1TB SSD

Seagate 6TB HDD (backup drive)

Windows 11

Malwarebytes 4.5.19.229 & MB Browser Guard

Edge

Brave

Everything was going fine, then I installed the Capital One Shopping extension, after which I started to notice an echo effect while typing on YouTube. What I mean by this is that as I typed my characters would disappear and reappear. You can see this in my video at 25:38. It occurred on both browsers. I removed the extension and it doesn't seem to be happening anymore on Edge. But, despite removing it and every other extension other than MBG and NoScript, as well as doing a full removal of Brave (including manually deleting Brave folders that I could find), and even disabling those two extensions, it's still happening. Additionally, I recently observed it happening on a small number of other websites. MB has failed to detect any infections.

 

I did a search and found 2 extension folders that is related to shopping. Since I deleted all my other shopping extensions, and did a full uninstall and reinstall, I suspect this may be the problem but I'm not sure.
search-ms:displayname=Search%20Results%20in%20Local%20Disk%20(C%3A)&crumb=System.Generic.String%3Aextension&crumb=location:C%3A%5C\chrome-extension_gmmlpenookphoknnpfilofakghemolmg_0.indexeddb.blob

search-ms:displayname=Search%20Results%20in%20Local%20Disk%20(C%3A)&crumb=System.Generic.String%3Aextension&crumb=location:C%3A%5C\chrome-extension_gmmlpenookphoknnpfilofakghemolmg_0.indexeddb.leveldb

I've attached the relevant files from those two locations, although I had to change 4 & 7 by adding .txt as they had no extension.

 

000003.log 4.txt 7.txt

Link to post
Share on other sites

  • Root Admin

Hello @GlennM2

The type of issue you appear to be having is not something that most security software would detect as it's doing a specific job that people have requested.

We can take a look at some logs and see what we can find to undo this.

NOTE: I'm officially off work until Jan 3, 2023 but I'll try to assist you as quickly as possible

 

 

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Thank you

 

 

  • Like 1
Link to post
Share on other sites

Hi, and thanks for taking time from your schedule to help me. I did report the potential for Capital One Shopping to be a trojan to Google Play, but I haven't heard back yet. Of course, it could be unrelated to COS. The files are attached and I'm running ESET Online Scanner. I'll let you know what it finds.

 

Addition.txt FRST.txt

Link to post
Share on other sites

  • Root Admin

[ 1 ]

Your DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

Not related to your issue, but once done, these drivers should be installed so that the computer runs properly. Your ASUS Armory software can update these drivers for you.

Name: SM Bus Controller
Description: SM Bus Controller
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI Device
Description: PCI Device
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

[ 3 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

BRA Notifications: Default -> hxxps://calendar.google.com

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 4 ]

 

Please run the following fix

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program location:  C:\Users\reveu\Desktop\FRST64.exe

 

Please download the attached fixlist.txt file and save it to C:\Users\reveu\Desktop\
NOTE. It's important that both files, C:\Users\reveu\Desktop\FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run the Farbar program C:\Users\reveu\Desktop\FRST64.exe with Admin rights and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt)  Please attach it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed. The use of an external password manager is highly recommended instead of using your browser to store passwords.

NOTE-3: As part of this fix it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Edited by AdvancedSetup
Updated information
  • Like 1
Link to post
Share on other sites

ESET found 64 files that are copies of my OLD Geocities website and marked them all as something like ScrInject.Btrojan, and deleted them. They were on my backup drive and I haven't touched or even looked at them in years, so I doubt they had anything to do with it.

I had to go to the ER last night but, before I left, I ran Farbar. Upon starting it, an error message about a specific file popped up; as I didn't have time, I didn't take a screenshot, I can't tell you more because it restarted my computer.

Happy new year!

 

Fixlog.txt

Edited by GlennM2
Duplicate text
Link to post
Share on other sites

  • Root Admin

I hope you're doing okay. If you need to rest or get further medical attention, please do. We'll be here when you get back.

The scan found and fixed some issues.

Windows Resource Protection found corrupt files and successfully repaired them.

 

When ready, please restart the computer one more time. Then get us a new set of Farbar scan logs.

Run Farbar with Admin rights and click on the SCAN button.

FRST.TXT
ADDITION.TXT

 

Thank you and if we don't hear back today, please  have a Happy New Year @GlennM2

 

 

 

  • Like 1
Link to post
Share on other sites

  • Root Admin

[ 1 ]

Your DNS Servers: 192.168.1.1

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

  • Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

You still have some ESET scheduled scans set. You can open Scheduled Tasks and delete them

Task: {08FA683A-4F92-48B2-ADD9-2F43ABDC2A2F} - System32\Tasks\EOSv3 Scheduler onLogOn => C:\Users\reveu\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe LOGON (No File)

Task: {EAA44E69-785A-48FD-8AEF-D8724D22DEDC} - System32\Tasks\EOSv3 Scheduler onTime => C:\Users\reveu\AppData\Local\ESET\ESETOnlineScanner\ESETOnlineScanner.exe SCHED (No File)

 

[ 3 ]

Please run the following

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

  • Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • If Microsoft SmartScreen blocks the download, click through to save the file
  • This tool is safe.   Smartscreen is overly sensitive.
  • If SmartScreen blocks the file from running click on More info and Run anyway
  • Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
  • Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
  • You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

image.png

image.png

image.png

 

Thank you

 

 

  • Like 1
Link to post
Share on other sites

  1. I went into my router and typed in the first 2 IP addresses for ipv4 Static DNS 1 & 2, but I see no way to do so for ipv6. There isn't an option to switch between v4 and v6 onscreen, and when I switch on the Internet Settings tab, it has no effect on Local Network tab where DNS addresses are located. Here are the instructions to change DNS addresses on my router. Also, please note that there are 9 devices listed as being connected to my router, but 1 of them is not identifiable. I also changed the DNS settings on my computer, but not on my kids' devices or my phone. Should I also do that, or can you help me with the router, which I guess would be better?
  2. Deleted.
  3. Attached

SecurityCheck.txt

Link to post
Share on other sites

  • Root Admin

Many routers don't support IPV6 and others have strange ways of modifying it. I wouldn't worry about it.

It's possible that someone visiting the home was on the router possibly or some phone, or other device.

Unless you're having unexplained network issues or threats there is probably no reason to worry about it.

If wanted you could do a factory reset on the router, but again, probably overkill.

Having your other devices use one of the mainstream DNS providers would be recommended. But, if you have the router actually doing it then they will do it too because they're set to look at your router for the look up.

 

 

Please update, uninstall, or otherwise address the following as appropriate for your system.

 

AMD Software v.22.10.3 Warning! Download Update
Discord v.1.0.9003 Warning! Download Update
VLC media player v.3.0.16 Warning! Download Update
Zoom v.5.12.3 (9638) Warning! Download Update

 

Then check for Windows Updates and install any security updates found.

 

Let me know if there are any other issues

 

Thanks

 

Link to post
Share on other sites

Hi there, and thanks for your help!

Since altering the DNS settings on my router, I've noticed that my router light frequently blinks - something that normally only happens when Spectrum's service is disrupted - but my Internet connection continues to work. Should I change the settings to one of the others you listed?

I updated the 4 programs and got the latest (1 update) for Windows.

 

What would you like me to do now?

BTW, "MalwareManiac" (Hourglass next to my cursor keeps blinking off and on.) is my 13 y.o. son. I'm having him do his own work with your help so he knows how to handle it in the future. He's very smart but he's going through some puberty challenges that sometimes make it hard for him to follow instructions, so I'll be by his side guiding him gently.

 

Link to post
Share on other sites

3 hours ago, GlennM2 said:

Hi there, and thanks for your help!

Since altering the DNS settings on my router, I've noticed that my router light frequently blinks - something that normally only happens when Spectrum's service is disrupted - but my Internet connection continues to work. Should I change the settings to one of the others you listed?

I updated the 4 programs and got the latest (1 update) for Windows.

 

What would you like me to do now?

BTW, "MalwareManiac" (Hourglass next to my cursor keeps blinking off and on.) is my 13 y.o. son. I'm having him do his own work with your help so he knows how to handle it in the future. He's very smart but he's going through some puberty challenges that sometimes make it hard for him to follow instructions, so I'll be by his side guiding him gently.

 

It's still occurring, even though I've restarted my computer.

Link to post
Share on other sites

  • Root Admin

Make sure you did not change a setting on the router that may have been pointing back to Spectrum's service.

You can try another DNS provider.

Do you notice any drop or any lag due to the change? Normally speed is often faster for most users.

 

Try putting back the old settings you had and see if that makes any change.

 

The following site can do a generic, basic test.

https://www.speedtest.net/

 

 

  • Like 1
Link to post
Share on other sites

I onlychanged the two Static DNS settings, which were all 0s, so I don't think that's it. I didn't notice any changes to service. Speed test was normal. I'm testing a different pair of IPs now.

Please note that the problem with the echo/keylogging continues. It just occurred to me that I probably did something wrong with the fixlist last time (like not using admin rights or not turning off MBAM), so I've rerun it. Here is the log.

Fixlog.txt

Link to post
Share on other sites

The problem I came here for - the apparent keylogging, that is shown in my video, where every character I type disappears and reappears.

FYI, since switching my DNS off of DNSWatch, the blinking light syndrome has stopped, but the speed has decreased on OpenDNS. Trying another.

Edited by GlennM2
Link to post
Share on other sites

  • Root Admin

Well, to be honest and apologize, I did not watch your entire video as it is 32 minutes long. I went ahead and did some scrubbing type watching of the video where you finally start to discuss the issue about 3/4 the way into the video.

Now, that said. A few observations, ideas, etc.

  • Brave, MS Edge, Google Chrome are all based on the same Chromium browser. They all take the base program and tweak it.
  • All content blockers (Malwarebytes Browser Guard, uBlock Origin, NoScript, Ad Block Plus, etc. etc.) all recommend that you do not use other content blockers with their application as it may interfere and produce unexpected or even undesirable effects
  • Application debugging is an art and specific type of security operation that is well beyond the scope of most malware detection and removal sites. Google, Apple, Microsoft, etc. all have dedicated teams that review and look for security issues in plugins just like this. I would recommend looking for the correct teams and try to submit a report with them. I'm sorry, but we don't have anyone I'm aware of that does application debugging as it is time consuming and would have little return on investment. Each of the App Stores have over two million apps each so I'm sure you can see the time and effort involved in debugging apps.
  • Perhaps try a new, fresh install of Firefox with no other type of extensions and see if it too behaves that way. But, run Firefox for a good day to make sure you know how it feels before adding the extension.

 

Capital One does bug the heck out of you to try the plugin but my own personal preference is security and privacy over a few dollars so I have not and will not install any "coupon" style plugins into any of my computers. That is a personal choice.

I would seriously doubt that Capital One would jeopardize their reputation on any plugin that was doing something illegal or under handed.

 

As for DNS Speed checking you could possibly use a site like this:  https://www.dnsperf.com/dns-speed-benchmark

But I would be a bit more concerned about using a known, secure DNS site rather than just someone offering DNS that might have a corrupted, polluted, or custom curtailed DNS.

 

 

Link to post
Share on other sites

It seems as if you're suggesting that you're not going to do anything further to try and locate and remove the source of whatever is causing the phenomenon I described. Is that true?

 

I understand what you've said about content blockers. Although the problem I'm having seems to have coincided with the installation of COS, that doesn't mean it IS from it. Although I've used MBG and NS together for years, and never had any trouble, it's always possible that one or the other, or Chromium, had something changed that would cause a problem, but Chromium would be the main suspect since I no longer have MBG on Edge. Does that mean that what I'm observing on YouTube and a few other sites is caused by that? Maybe, but it still could be a keylogger or something else, right?

 

Capital One bought the extension from another company, and I don't know who maintains it. The fact that the problem disappeared for a while on Edge after removing COS, and only just resurfaced now as I'm typing (and testing Edge again) suggests that it came from COS, but it could be something on my computer, not my browser. However, the only extension on there is NoScript. Is a weakness in an extension being exploited? Is Edge more secure than Chromium? After removing COS, I didn't try a fresh reinstall of Edge or try to wipe out folders where the COS extension resides. But, then, reinstalling Brave  and deleting all of the old files didn't make a difference...



What about the extension folders I mentioned before and the files I uploaded? Should I delete them?



I am now testing with Firefox as you suggested. So far, nothing has happened, but I've not installed any extensions, either.

Edited by GlennM2
Link to post
Share on other sites

  • Root Admin

It's not that I don't want to help you. It's the fact that if it is truly the Capital One plugin I cannot help you. I am not a programmer. That would require a programmer with extensive knowledge in multiple different programming languages.

I'm trying to point out that your methodology is not clean enough to say that Capital One is the root cause and a more strict method would be required.

I can attempt to do so in a Virtual Machine but that may be a couple days as I have many tickets to catch up on due to the holidays.

It's also difficult to believe that if it is as you say that you're the only one seeing or reporting it as the plugin has to have thousands of users.

 

 

  • Like 1
Link to post
Share on other sites

I understand what you're saying but I have already suggested that it may not be COS. Do you have any other tricks up your sleeve to identify and isolate the source of the problem?

If you are willing to use a VM when you have time, that would be fine. I don't mind waiting. Or, if you want to point me in the right direction of a suitable free VM and how I can do what you're talking about, I'll be happy to learn how.

Link to post
Share on other sites

  • Root Admin

Install one of them. Then install Windows 10 from an ISO image.

For now just use a trial of Windows

https://www.microsoft.com/en-us/software-download/windows10ISO

Then check for Windows updates and make sure all is working properly after a couple of reboots.

 

Then if all is working well and you're not seeing this echo issue on the MS Edge browser. Install the Capital One and see if it now has the issue

 

  • Like 1
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.