Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

yet another chrome malware/hijack..... seems to be a trend, eh?


  • This topic is locked This topic is locked
15 replies to this topic

#1 voiceofreason

voiceofreason

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 01 June 2017 - 09:45 AM

Hi guys and gals.... new to BeepC, but a long time lurker.   Finally met my match with a crafty bit of malware.   I've done the Adw, RKill, MalwareBytes, Hitman, etc. - both in normal boot and safe modes to no avail and have left it now to your tender mercies and guidance.    Ran the Farbar logs (attached here) to get us started and I look forward to, and appreciate, you holding my hand through the process....

 

VOR

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 02 June 2017 - 08:59 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this program in bold via the Control Panel > Programs > Programs and Features.
Yahoo! Messenger (HKLM-x32\...\Yahoo! Messenger) (Version: - Yahoo! Inc.)
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

HKLM-x32\...\Run: [] => [X]
Winlogon\Notify\SDWinLogon-x32: SDWinLogon.dll [X]
SearchScopes: HKU\S-1-5-21-2799616038-3843560551-1672592197-1002 -> {81ED427D-2828-448C-920E-92FCCBBFD455} URL = hxxps://search.yahoo.com/search?p={searchTerms}&intl=us&fr=chrf-iryus&type=ypi_znlrm_00_00_ie
FF Plugin: @microsoft.com/GENUINE -> disabled [No File]
FF Plugin-x32: @microsoft.com/GENUINE -> disabled [No File]
CHR DefaultSearchURL: Default -> hxxps://search.yahoo.com/search?p={searchTerms}&fr=chrf-iryus&type=ypi_znlrm_00_00_chr
CHR DefaultSuggestURL: Default -> hxxps://search.yahoo.com/sugg/ie?output=fxjson&command={searchTerms}&nResults=10
CHR Extension: (Chrome Web Store Payments) - C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2017-03-15]
CHR Extension: (Chrome Media Router) - C:\Users\Bruce\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2017-05-16]
CHR HKU\S-1-5-21-2799616038-3843560551-1672592197-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [hpacaholihkepnhgeeiipghhgonbhdfb] - hxxps://clients2.google.com/service/update2/crx
S4 AdobeFlashPlayerUpdateSvc; C:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [X]
S3 dbx; system32\DRIVERS\dbx.sys [X]
U3 iswSvc; no ImagePath
S4 ZAM; \??\C:\windows\System32\drivers\zam64.sys [X]
S4 ZAM_Guard; \??\C:\windows\System32\drivers\zamguard64.sys [X]
AlternateDataStreams: C:\Users\Bruce\Downloads\CyberLink_PowerDirector_Downloader (1).exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\CyberLink_PowerDirector_Downloader.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\DropboxInstaller.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\EN4500_198.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\HPSupportSolutionsFramework-12.0.26.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\Install_PDFR_v252.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\msgr11us.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\nitro_pdf_reader_64_dlm.exe:BDU [0]
AlternateDataStreams: C:\Users\Bruce\Downloads\putty.exe:BDU [0]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.

===

Reset Chrome...
Open Google Chrome, click on menu icon google-chrome-setting-icon.png which is located right side top of the google chrome.
 
Click "Settings" then "Show advanced settings" at the bottom of the screen.
 
Click "Reset browser settings" button.
 
Restart Chrome.
===

Please let me know what problem persists with this computer.

#3 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 02 June 2017 - 11:03 AM

Followed the instructions.....  so far so good, but I need to leave my browser open for a while to see if the hijack comes back, so don't close the topic yet... I'll come back in about 24 hours with an update.    Attached the log.

 

I see that you focused on the Flash Update and Chrome Media Server - which I had been looking at as suspects.   I did not suspect Messenger.   If this fix works (which I think/hope it does), do you have any feedback on the type/flavor of malware that infected me?   That kind of information can help me, and perhaps others reading this forum, in being more preventative and proactive.   Oh, and many thanks !   And I'm honored to be assisted by the world famous nasdaq !



#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 02 June 2017 - 12:50 PM

We have no way on knowing how this infection was installed on your computer.

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/


https://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/
Simple and easy ways to keep your computer safe and secure on the Internet.
===

I will close this topic in 6 days. If you need to return please do.

#5 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 02 June 2017 - 12:58 PM

But what infection was it?



#6 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 02 June 2017 - 01:45 PM

ok - the infection is back... :(      I've attached a jpg screenshot of the browser hijack along with the perfmon in Task Manager.   It's 'freezing' the computer by eating up all the memory, and after a while, it reduces enough so I'm able to use Task Manager to be able to kill Chrome.   FYI - this pernicious thing has also hijacked (once) my backup browser (Opera) when I was using it ....so this is not a 'Chrome only' deal.      Thanks again and looking forward to your much appreciated guidance.

 

VOR



#7 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 03 June 2017 - 07:23 AM

I do not know what type of infection your have, Your logs are clean. We need to look deeper.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

p.s.
Your Chrome browser may be compromised and will have to remove all traces of it and reinstall the program.

You may want to do it now or wait from me to review the RogueKiller log.

Remove Chrome from hour Computer and reinstall a fresh copy.

Clear your Chrome cache and cookies
https://support.google.com/chromebook/answer/183083?hl=en

Before you remove Chrome Export your Bookmarks
Chrome will export your bookmarks as a HTML file, which you can then import into another browser.

If you Sync your data.
Delete Your Google Chrome Browser Sync Data
https://www.howtogeek.com/103655/how-to-delete-your-google-chrome-browser-sync-data/
<<<>>>

Remove Chrome using the the instructions on this page.
https://support.google.com/chrome/answer/95319?hl=en

Re-install Chrome and the Bookmarks.
====

#8 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 03 June 2017 - 12:15 PM

Hi Nasdaq !    Ran Rogue Killer and the report is attached here.    it found and deleted some browswer related stuff (see the report).   I'll do the chrome re-install now and report back......   just wanted to get this to you asap.

VOR

ps - again, thanks for the hand holding !   

 

BTW - I have an external drive where I keep all my document data (non system files).   I also have done backups/restores of the C: drive to it... so I'm thinking the items deleted on my C: drive might also be there, but as per the instructions for Rogue Killer, I disconnected it first.    Do you think I might still be at risk and should I attached the external drive and re-run Rogue Killer?    

 

VOR

Attached Files



#9 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 04 June 2017 - 06:34 AM

After a promising start... .it's back.        I've attached a screen shot of the browser.   The reason the malware ad page didn't display is that is one of the URLs that I blocked / blacklisted in my Zone Alarm firewall in order to try to diminish this invader....     Remember that this thing had also hijacked my backup browser Opera, so its not a 'Chrome Only' issue.....    I await your guidance, sir...



#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 04 June 2017 - 06:36 AM

Run this on the flash driver and others.

Download and Run FlashDisinfector

You may have a flash drive infection. These worms travel through your portable drives. If they have been connected to other machines, they may now be infected.
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
    Note: Some security programs will flag Flash_Disinfector as being some sort of malware, you can safely ignore these warnings
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
===

Let me know of any remaining issues.

#11 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 05 June 2017 - 05:25 AM

I'll try that but before doing that is there a chance that the infection is in my external drive?  What if I re-ran Rogue Killer with the external drive attached?  Would RK search/destroy the external (G:) drive?   



#12 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 05 June 2017 - 07:12 AM

Just run the Search function with the Roguekiller on the External drive.

Post the log if you get one.

#13 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 07 June 2017 - 12:27 AM

re-running Rouge Killer didn't find anything...    Tried to run the flash disinfector but couldn't get it to run, even with my AV turned off.... attaching screen shot of failure to run message below....   wow this is a stumper...

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 40,486 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:08 PM

Posted 07 June 2017 - 07:49 AM

Try to run it as an Administrator.

#15 voiceofreason

voiceofreason
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 07 June 2017 - 08:06 PM

I did...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users