Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Interesting Case

  • Please log in to reply
2 replies to this topic

#1 studenthub


  • Members
  • 6 posts
  • Local time:02:54 AM

Posted 10 July 2014 - 11:15 AM

Hey everyone,

I am a technician that works for an institution providing walk-up computer repair (mostly virus removal), and I have had 2 interesting cases that have stumped me.


Here's what is going on:


Our clients have to frequently use an institutional website whose address looks like "xxxxxxx.angellearning.com/default.asp".


Both "interesting case" clients have come in with low level browser hijack infections (Tuvaro, Gorillaprice, Opimizer Pro, Knctr, etc...). Typically we use a combination of AdwCleaner and CCleaner along with some manual actions to resolve these types of infections.


Now the problem that has started happening with these two clients is that post infection cleaning, when the clients attempt to view the "xxxxxxx.angellearning.com/default.asp" site, Chrome downloads "default.asp" instead of displaying it. Every single time.




Chrome will display the page correctly when Windows is loaded in Safe Mode.



The list of cleaning/detection products I have run (hopefully I won't forget any) include:





TDSS Killer

Kaspersky Rescue CD


Sysinternals ProcessMonitor, Autoruns

Malwarebytes Chameleon

Junkware Removal Tool

Adware Removal Tool





Also the applicable tools have been run from outside of Windows (i.e. Kaspersky Rescue).

And after the initial infection was removed, all of the above tools have found NOTHING.


Also also, the Chrome browser has been reinstalled using Revo uninstaller multiple times as well as reset and this problem does not affect any other browsers. The reason that the clients have to use Chrome is due to a browser compatibility issue with the site that they need to access.


Any ideas?
Keep in mind that I can only work on these computers as the clients come back. I have one scheduled to come back today and Monday but I am not authorized to keep their devices without their being present.

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:03:54 AM

Posted 10 July 2014 - 04:00 PM

Hello, having run ComboFix we need o see that and a DDS log.

Please follow this Preparation Guide, do steps 6,7 and 8 and post in a new topic.
Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 studenthub

  • Topic Starter

  • Members
  • 6 posts
  • Local time:02:54 AM

Posted 14 July 2014 - 09:57 AM

Okay, will do. In the mean time, has anyone experienced this problem before?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users