Detections for Trojan.ChromeHijacker.D this morning

[Zero2203]

Hi, my Malwarebytes ran a scan this morning and I was surprised to see 22 detections and quarantines.

They were all related to Trojan.ChromeHijacker.D and I have provided a .txt of the scan results. Back on the 19th I had a critical security alert when trying to log-in to my Google account on Chrome, so that might have been related to this. I did run a scan that day and didn't find anything related to Chrome then, however.

I have a few ideas what might have caused them.

The first is a program called Cold Turkey, which has an add-on for Chrome. I've used it for many years without issue, although I noticed last December or so it stopped working altogether. I suspect my Malwarebytes or ESET eventually updated enough to make it stop working. I have several Chrome profiles, one for general browsing, one for school, one for foreign languages, etc. and I noticed in the .txt that it listed six separate profiles. Since the Cold Turkey add-on wants to be on each Chrome profile, it makes sense that the installations for each profile could have caused the detections.

The second could be related to some foreign language support add-ons I have installed recently. On my language profile I have added some add-ons although they are only on that profile and I don't think that explains why it was detected on several different profiles.

I also tried to download the support tool in advance to get the log for you guys but I do need a support ticket to grab anything specific sorry.

Thanks for your time and assistance. I am curious as to where I got the infection from since it doesn't happen often.

scan.txt

[Porthos]

2 minutes ago, Zero2203 said:

I also tried to download the support tool in advance to get the log for you guys but I do need a support ticket to grab anything specific sorry.

You do not need a support ticket.

Please do the following so that we may take a closer look at your installation for troubleshooting:

NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

 

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to your desktop, please upload that file on your next reply

Thanks

[AdvancedSetup]

Please post back the logs as requested @Zero2203 and we'll be happy to assist you

 

[Zero2203]

Here's the .zip

mbst-grab-results.zip

[AdvancedSetup]

This looks to be a bad extension

CHR Extension: (Application Launcher For Drive (by Google)) - C:\Users\brian\AppData\Local\Google\Chrome\User Data\Profile 12\Extensions\lmjegmlicamnimmfhcmpkclmigmmcbeh [2023-06-23]

Please uninstall that extension in all of your Google Chrome profiles.

 

You also have Push Notifications enabled. They can be helpful but can also be annoying or possibly harmful by tricking you into doing something you didn't mean to do on the computer.

 

 

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

You also have these other security products listed as installed but I don't think they are anymore

AV: Norton Security Ultra (Disabled - Out of date) {1122B19A-E671-38EC-8EAC-87048FD4528D}
AV: Norton Security Ultra (Disabled - Out of date) {9E3FD331-C4C2-7AC4-0537-131EEF1B1F8A}
FW: Norton Security Ultra (Disabled) {A6045214-8EAD-7B9C-2E68-BA2B11C858F1}
FW: Norton Security Ultra (Disabled) {291930BF-AC1E-39B4-A5F3-2E31710715F6}

 

 

[AdvancedSetup]

Once you've removed the Google Chrome extension, please do the following @Zero2203

 

Let's go ahead and run a couple of scans and get some updated logs from your system.

Please make the following changes.

 

• Temporarily disable your antivirus real-time protection or other security software first. Make sure to turn it back on once the scans are completed.
• Temporarily disable Microsoft SmartScreen to download software below only if needed. Make sure to turn it back on once the scans are completed.
• Disable-Fast-Startup
• Show-Hidden-Folders-Files-Extensions

 

Next, run these steps and post back the logs as an attachment when ready.

[ 1 ]

Malwarebytes for Windows

• If you already have Malwarebytes installed then open Malwarebytes and click on the small gear icon, then click on the "Check for updates" button on the General tab.
• After any updates, click the middle Scan button from the main page. It will automatically run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed, make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let us know in your next reply that the scanner would not run.

[ 2 ]

Malwarebytes AdwCleaner

• Please download Malwarebytes AdwCleaner and save the file to your Desktop or Downloads folder.
• Double-click to run the program - Malwarebytes AdwCleaner guide
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine to finish the cleaning process.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach that log to your next reply.
   
• If No Detections are found, Click Skip Basic Repair
  
  WARNING: Do Not click the Run Basic Repair button unless instructed to by a Malwarebytes support agent or authorized helper

 

RESTART THE COMPUTER Before running Step 3

[ 3 ]

Gather MBST Logs

Please do the following so that we may take a closer look at your system for any possible infections.

NOTE: The tools and the information obtained are safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

• Download the Malwarebytes Support Tool
• In your Downloads folder, open the mb-support-x.x.x.xxx.exe file
• In the User Account Control pop-up window, click Yes to continue the installation
• Run the MBST Support Tool
• In the left navigation pane of the Malwarebytes Support Tool, click Advanced
• In the Advanced Options, click Gather Logs. A status diagram displays the tool is Getting logs from your machine
• A zip file named mbst-grab-results.zip will be saved to the Public desktop, please upload that file on your next reply
  
  WARNING: Do Not click the Repair System under Advanced unless requested to by a Malwarebytes support agent or authorized helper

 

Thank you

 

[Zero2203]

Thanks for the heads up on that. I went to check my extensions but the extensions page didn't want to load on any Chrome instance so I had to restart my computer. I noticed that it wouldn't restart without a forced shutdown of a process I didn't catch the name of.

I remember now, I saw that add-on recently.

This popped up on my main Chrome profile but I clicked Remove from Chrome since it wasn't something I remembered wanting.

I checked each of my chrome profiles:

1. Main: Not present, not prompted to install.
2. Secondary: Present, uninstalled. Unusual since I never use this profile except for very private things.

3. School, had the same icon as 4 and uninstalled.
4. Languages, present and uninstalled. This time the icon looked official but I removed it anyway:

4. Had the same application launcher above and removed.
5. Freelancing, this is the one I got the message saying it was added and I clicked remove. I click extensions now and the tab won't load.
6. Had the same as 3 and 4, removed.
7. Had the same as 2. I noticed it still had the Cold Turkey addon too.


For Push Notifications, my settings didn't look exactly like in the first link but I did set it to this.


I'm going to do part 2 of the instructions next since I noticed Chrome is lagging out on the extensions and settings again and I'm going to restart the PC.

[AdvancedSetup]

We have an in-depth article on cleaning up Google Chrome but many people have so much invested in their browsers and settings they rarely want to go to such lengths.

If you do decide that Chrome just will not play right, please have a look at the following.

 

 

Please follow the directions from the following topic for a more extensive article on cleaning Google Chrome if needed.

Resetting Google Chrome to clear unexpected issues
 

Thank you

 

[AdvancedSetup]

Hello @Zero2203

How are things going? Please post a status update when you have a moment.

Thanks

 

[Zero2203]

Hi, sorry for the delay.

I think I figured out how that google drive got installed on my chrome profiles. I realized the only other thing that has access to all those chrome profiles is my phone, and I recently installed an app through github called 

https://github.com/lrorpilla/jidoujisho

 for language learning. This is the only thing new I did recently on it, and the app isn't installed through the play store so you have to give it permission to be installed. The chrome profiles the malware add-on was installed on were the same as the ones on the phone and excluded some profiles I never added.

I have this mbst zip from the 23rd, so I think this is after I scanned everything that day. If not, I can do a newer one.

mbst-grab-results.zip

Edited July 16 by AdvancedSetup
Disable hyperlink

[AdvancedSetup]

Sorry for the delay @Zero2203

I didn't notice you had replied.

 

If you still need help, please run the following scanner.

 

 

Microsoft Safety Scanner

Please make sure you Exit out of any other program you might have open so that the sole task is to run the following scan.   
That goes especially for web browsers, make sure all are fully exited out of and messenger programs are exited and closed as well
 

STEP 1

Please set File Explorer to SHOW ALL folders, all files, including hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

STEP 2

I suggest a new scan for viruses & other malware. This may take several hours, depending on the number of files on the system and the speed of the computer.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on the Scan Options & select the FULL scan.

Then start the scan. Have lots of patience. It may take several hours.

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on the screen display.  The only things that count are the End result at the end of the run.
• The scan will take several hours.  Leave it alone. It will remove any other remaining threats as it goes along.  Take a very long break, do your normal personal errands .....just do not use the computer during this scan.

This is likely to run for many hours as previously mentioned  ( depending on the number of files on your machine & the speed of the hardware.)

The log is named MSERT.log  and the log will be at C:\Windows\debug\msert.log

Please attach that log with your next reply.

 

It is normal for the Microsoft Safety Scanner to show detections during the scan process.

It is scanning for basically all bread crumbs or traces of files and registry entries that "might" be or have been part of some infection or previous infection.

That DOES NOT mean the computer is infected. Once the scan has been completed it uploads the log to their Cloud service which then uses Artificial Intelligence to determine if in fact any of the traces are an infection or not.

Then it writes into the log on your computer what it found.

 

Thank you

 

[AdvancedSetup]

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Tips to help protect from infection

Thanks