Jump to content

Strange file downloaded when starting chrome


Recommended Posts

Hello,

Almost every time I open Chrome it seems that a file is downloaded and the antivirus shows me the following message: "no detected risks in e36a2da7-4056-4bd3..." (see image. the name of the file changes):

Although it seems that the antivirus does not recognize that it is a virus, I have the idea that the infected computer could be and that this file is some type of information about the login that is downloaded. The funny thing (and what worries me) is that this file does not appear in the download folder. 

What do you think it may be??  Any ideas?

Could it be, as I say, some type of "background" download of information that a malware is collecting?

Thank you

fab952573342abdd34d7f3bb4b43877195242354.png

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • Root Admin

Hello  and  :welcome:     @Sukimal

 

NOTE: It is quite late for me so I'm heading out but please read and follow the directions below and I'll check back on you again tomorrow.

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

  • Please follow all steps in the provided order and post back all requested logs
  • Please attach all log files to your post, unless otherwise requested
  • Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
  • Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
  • Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
  • Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
  • Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
  • Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
  • Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
  • If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

 

 

Please temporarily disable your antivirus real-time protection and run the following.

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.

 

Spoiler
 
 
 
 
Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

image.png

image.png

image.png

 



STEP 01

  • If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed make sure you have it quarantine any detections it finds.
  • If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Double-click to run the program
  • Accept the End User License Agreement.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, if items are found please click Quarantine.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
  • Please attach the Additions.txt log to your reply as well.
  • On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

Link to post
Share on other sites

I attach the reports... BUT....

at the end of the Malwarebytes scan I saw something that really caught my attention:

The Log file is named the same (or with the same structure) as the suspicious file that is downloaded from Chrome!!! (see image).

At this point I realise that I use "Malware bytes browser guard" as a Chrome extension.

Is not that file that is downloaded from chrome (and that my antivirus detects and analyzes) generated by the extension of Chorme "Malware bytes browser guard"?

Captura de pantalla 2023-03-02 121437.png

Addition.txt AdwCleaner[C00].txt FRST.txt malwarebytes_analysis.txt

Link to post
Share on other sites

  • Root Admin

The file name entries you show are not the same. I'm not saying there is or is not an issue. It could be that Trend Micro doesn't like something there.

It could be an extension conflict or anomaly or perhaps Google Chrome needs cleaning?

 

Please run the following fix. Temporarily disable your Trend Micro real-time protection while the fix runs.

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\ant_g\Downloads\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed in most, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

On 3/2/2023 at 10:32 PM, AdvancedSetup said:

The file name entries you show are not the same.

Obviously the file names are not the same, but thanks for the clarification ;-) In fact, in my post I indicated that I was referring to the structure of the name.

In fact, the file name varies. The image is just an example. Just like the Malwarebytes log reports also change their name from one to another, but the structure remains the same.

At this point, it is very striking that they have EXACTLY THE SAME STRUCTURE TYPE XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.... (8-4-4-4-12) where X are letters and numbers, but the structure of 8 characters, hyphen, 4 characters, hyphen, 4 characters, hyphen, 4 characters, hyphen and finally 12 characters is maintained.

This makes me seriously wonder: 
does the Malwarebytes Chrome extension also use this system of encoding files (perhaps to save reports or to download updates...) as does the Malwarebytes program for Windows? 

If so, it would be the cause of the suspicious file that Trend Micro detects and scans.

 

Captura de pantalla 2023-03-04 120202.png

Link to post
Share on other sites

  • Root Admin

Let's try a couple other AV scanners to double-check and make sure nothing bad.

 

[ 1 ]

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

 

[ 2 ]

Please run the following ESET Online Scanner and perform a Full Scan

 

Click the following link to save the installer for ESET Online Scanner

https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

  • It will start a download of "esetonlinescanner.exe"
  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get started. 
  • When presented with the initial ESET screen, click on "Get Started". Read and accept the Terms of use
  • On the "Before we start..." screen chose if you want to send anonymous data and if you want to provide feedback or not, then click Continue
  • When prompted for scan type, Click on the Full Scan button
  • Enable  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click the Start scan button.
  • Have patience.  The entire process may take a few hours or more.
  • When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
  • Click The blue “Save scan log” to save the log and give it a name and location you remember.
  • If something was removed and you know it is a false postive, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
  • Press Continue when all done.  You should click to turn off the offer for “periodic scanning”.
  • Enable "Delete application data on closing" - You do not need to submit feedback unless you want to. Simply ignore and close the program.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

Please attach the ESET scan log you saved at the end to your next reply

 

 

 

Thanks

 

Link to post
Share on other sites

Thank you.

1. Microsoft Safety Scanner gives error

(I follow instructions, but the error code wasnt in the list)

---------------------------------------------------------------------------------------
Microsoft Safety Scanner v1.383, (build 1.383.1738.0)
Started On Mon Mar 13 18:48:12 2023

Failed to submit MAPS report: 0x80510002
Failed to submit clean hearbeat MAPS report: 0x80510002

Exception Caught: 0x8050800C
Microsoft Safety Scanner Finished On Mon Mar 13 18:48:30 2023

Return code: 1 (0x1)

2- eset online scanner

(attached)

 

 

 

image.png

eset scan log.txt

Link to post
Share on other sites

  • Root Admin

Yes, unfortunately Microsoft is having issues with their scanner at the moment.

Please try running this one instead. @Sukimal

 

 

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20210123_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
 
 

 

 

Link to post
Share on other sites

Thank you.

Kaspersky Virus Removal Tool report:

<Report>
    <Metadata Version="1" PCID="{1B8868C0-3C4C-B7E3-0DC9-DA8040398FD4}" LastModification="2023.03.17 09:19:09.213" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="5661594" Found="2" Neutralized="1">
            <Event0 Action="Scan" Time="133234570464110989" Object="" Info="Started" />
            <Event1 Action="Detect" Time="133234603706091748" Object="C:\Users\AGUM\Downloads\soft.trator.2023.systemtutos.com\soft.trator.2023.v27.1.1.196.exe" Info="not-a-virus:HEUR:AdWare.NSIS.AdPack.gen" />
            <Event2 Action="Scan" Time="133234707917356226" Object="" Info="Finished" />
            <Event3 Action="Select action" Time="133235147220082858" Object="C:\Users\AGUM\Downloads\soft.trator.2023.systemtutos.com\soft.trator.2023.v27.1.1.196.exe" Info="Delete" />
            <Event4 Action="Disinfection" Time="133235147220082858" Object="" Info="Started" />
            <Event5 Action="Quarantined" Time="133235147220082858" Object="C:\Users\AGUM\Downloads\soft.trator.2023.systemtutos.com\soft.trator.2023.v27.1.1.196.exe" Info="" />
            <Event6 Action="Deleted" Time="133235147220082858" Object="C:\Users\AGUM\Downloads\soft.trator.2023.systemtutos.com\soft.trator.2023.v27.1.1.196.exe" Info="" />
            <Event7 Action="Disinfection" Time="133235147222644557" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>

 

 

 

 

Link to post
Share on other sites

  • Root Admin

The download from Microsoft should be working now. Please run the following @Sukimal

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
  • The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

Link to post
Share on other sites

  • 2 weeks later...

Thanks

most of the detections are about old programs stored (not installed) on some hard disks and cloud disks:

 

    file://C:\Program Files (x86)\DVDVideoSoft\Free Screen Video Recorder\FreeScreenVideoRecorder.exe
        SigSeq: 0x00001667405F1B4F
    file://C:\Program Files (x86)\DVDVideoSoft\Free Audio Converter\FreeAudioConverter.exe
        SigSeq: 0x0000166727232B21
    containerfile://M:\_Software_\APP\FreeStudio\FreeStudio_6.7.2.909_d.exe
    containerfile://M:\_Software_\APP\FreeStudio\FreeStudio_6.7.1.316_d.exe
Threat Detected: HackTool:Win32/Patcher and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Users\and\OneDrive - UNF\_APP\Afobe CC2018 64.zip->AICC2018.64-PVP/Patch (PainteR)/amtemu.v0.9.2.win-painter/amtemu.v0.9.2-painter.exe
        SigSeq: 0x000016678CC0D539
    file://C:\Users\and\OneDrive - UNF\_APP\Afobe CC2018 64.zip->AICC2018.64-PVP/Patch (PainteR)/amtemu.v0.9.2.win-painter.zip->amtemu.v0.9.2-painter.exe
        SigSeq: 0x000016678CC0D539
    containerfile://C:\Users\ant\OneDrive\_APP\Afobe CC2018 64.zip
Threat Detected: TrojanDownloader:Win32/Banload, partially removed.
  Operation failed. Action: Remove, Result: 0x8007045D. Please use a full antivirus product ! ! 
    file://G:\Mi unidad\WWW\AMS\_WWWAms.com 2016\Prestashop\emagicone-store-manager-for-prestashop-professional-edition-290-build-702[incl]_crack.zip->lib/aes10.dll
        SigSeq: 0x00001667C0793422
    file://C:\Users\and\AppData\Local\Google\DriveFS\114215225277070100579\content_cache\d32\d73\66362->lib/aes10.dll
        SigSeq: 0x00001667C0793422
    containerfile://G:\Mi unidad\WWW\AMS\_WWWAms.com 2016\Prestashop\emagicone-store-manager-for-prestashop-professional-edition-290-build-702[incl]_crack.zip
    containerfile://C:\Users\and\AppData\Local\Google\DriveFS\114215225277070100579\content_cache\d32\d73\66362
Threat Detected: Adware:Win32/Tnega!MSR and Removed!
  Action: Remove, Result: 0x00000000
    file://G:\Mi unidad\_APP DRIVERS\_actuales\FreeStudio PREMIUM PAGO\FreeDVDVideoConverter_2.0.65.823_d.exe
        SigSeq: 0x0000166738DC55B9
    file://C:\Users\and\AppData\Local\Google\DriveFS\114215225277070100579\content_cache\d50\d97\52645
        SigSeq: 0x0000166738DC55B9
Threat Detected: HackTool:Win32/Keygen and Removed!
  Action: Remove, Result: 0x00000000
    file://C:\Users\and\OneDrive - UNF\_APP\Afobe CC2018 64.zip->AICC2018.64-PVP/Patch (PainteR)/adobe.snr.patch.v2.0-painter.zip->adobe.snr.patch.v2.0-painter.exe
        SigSeq: 0x000016678A0F1E58
    containerfile://C:\Users\and\OneDrive - UNF\_APP\Afobe CC2018 64.zip

Results Summary:
----------------
Found Misleading:Win32/Lodi and Removed!
Found HackTool:Win32/Patcher and Removed!
Found TrojanDownloader:Win32/Banload, partially removed.
Found Adware:Win32/Tnega!MSR and Removed!
Found HackTool:Win32/Keygen and Removed!
Successfully Submitted MAPS Report
Successfully Submitted Heartbeat Report
Microsoft Safety Scanner Finished On Wed Mar 29 16:59:19 2023


Return code: 7 (0x7)
 

 

 

 

 

Link to post
Share on other sites

  • 1 month later...
  • Root Admin

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.