Occasional Chrome browser redirects.

[AverageJoe]

Hello,

 

I've recently been fighting some nasty malware that has creeped into my computer that I built a little over a year ago and was working flawlessly up until last month. It started when I noticed some intrusive ads in my Google searches and an extension in my Chrome browser that I didn't recognize nor installed myself. Since then I've done a series of uninstalls and removals on the unwanted programs and extensions using several programs (Mostly Spybot Search & Destroy and Malwarebytes Anti-Malware). At first it looked like I got rid of everything unwanted but I noticed that every so many days the ads and malware kept returning, so I slowly but surely chipped away at finding the source of the problem and I seem to have gotten rid of the bulk of it presently but there's at least one malware that I just can't find and eliminate.

 

It's something that causes my Chrome browser to redirect to an undesired web page when I open a new window in Chrome. It doesn't happen frequently; only once every hour or so. In the meantime, I can open dozens of new windows and tabs without any problems. For the most part, my browsing experience is pleasurable and I simply end the task on the Chrome window that occasionally gets redirected. Other than that, my computer's running fine, so I would simply like help trying to track down this piece of malware that's causing my Chrome to redirect please.

 

Attached are the FRST.txt and Addition.txt files generated from Farbar's Recovery Scan Tool. The two security softwares I'm presently using are Microsoft Security Essentials and Spybot Search & Destroy. I've ran several threat scans in Malwarebytes Anti-Malware and it never detects any threats. Please let me know if there's any other additional system or setup information you guys need and I will be happy to provide it.

FRST.txt

Addition.txt

[AverageJoe]

Sorry, I forgot to mention. I was looking through the FRST text file and I noticed the section that shows files downloaded or modified out to one month ago. Just wanted to mention that I first discovered strange behavior in my Chrome and the unwanted extensions on March 23rd, just outside the one month window accounting for today after I ran the Farbar tool. Just throwing it out there in case if there's a way to extend the Farbar tool to report further back than 30 days or in case any forum experts need more information. Thanks.

[_argus]

Helllo,

My name is Argus and and I will be helping you with your computer problems.

Before we begin, please note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The logs can take some time to research, so please be patient with me.
• Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
• Instructions that I give are for your system only!
• Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
• Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
• Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not be able to help you if you do not follow my instructions.

Rules and policies

We won't support any piracy.
That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding!
The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares... We don't provide any help for P2P, except for their removal. All P2P software has to be uninstalled or at least fully disabled before proceeding!

Failure to follow these guidelines will result with closing your topic and withdrawning any assistance.

 

 

 

 

Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
 

• Right-click on icon and select Run as Administrator to start the tool.
• Wait patiently until the main console will appear, it may take a minute or two.
• In the main box please paste in the following script:
  

  createsrpoint;autoclean;emptyalltemp;ipconfig /flushdns;b

• Make sure that Scan All Users option is checked.
• Push Run Script and wait patiently. The scan may take a couple of minutes.
• When the scan completes, a zoek-results logfile should open in notepad.
• If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.

 

[AverageJoe]

Thanks for the assistance with my problem.

 

I disabled my Microsoft Security Essentials but not my Spybot Search & Destroy (The link does not specifically mention Spybot by name nor is it really an anti-virus software). Not sure if this makes a difference but I felt it best to point it out.

 

I ran the zoek tool and attached the log file to this post. It did prompt me to do a system reboot. After rebooting and viewing the log file, I launched my Chrome browser to return here with my information and I noticed ads starting appearing on my web pages again. I checked my extensions and an unknown extension named "AdPunisher" is now installed. This was not there before I ran the zoek tool and rebooted. It's also making my web navigation and posting here on Malwarebytes difficult.

 

I also attached a screenshot of the extension for reference. I have not re-enabled Microsoft Security Essentials nor ran any additional tools at this time. Awaiting your reply. Thanks.

zoek-results.log

[_argus]

Okay Spybot is not antivirus.

 

Re-run zoek and run this script:

createsrpoint;autoclean;chromelook;

Post its content into your next reply.

[AverageJoe]

Re-ran zoek with the script you supplied. It completed and prompted for a reboot. Upon finishing rebooting and checking the log file, I opened Chrome and still see the ads. The AdPunisher extension is still present in my Chrome extensions list. Doesn't seem to have changed anything; still getting web pages redirected, pop ups, and random underlined/hyperlinked text to ads.

 

Does Chrome need to be fully closed when the zoek tool is run? Presently, I'm just clicking the close button in the top, left corner but I have Chrome set to run in the background. In other words, even though I close the browser window, I still see the Chrome icon in my taskbar's notification tray in the bottom, right corner of my monitor. Not sure if leaving Chrome running in the background or fully exiting it will make a difference.

 

Attached most recent zoek log file to this post.

zoek-results.log

[_argus]

Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your desktop.
 

• Right-click on icon and select Run as Administrator to start the tool.
• Follow the prompts and click Scan.
• When finished, please click Clean.
• Upon completion, click Report. A log (AdwCleaner[s*].txt) will open.

Please include the contents of that file in your reply.
 

 

 

Step 2.

 

 

Chrome installation is altered by malware (fake chrome). Reinstall is needed.

 

Chrome:
=======
CHR dev: Chrome dev build detected! <======= ATTENTION

 

 

 

If you have bookmarks, let's save them by exporting them

https://support.google.com/chrome/bin/answer.py?hl=en&answer=96816

 

 

Close all Chrome windows and tabs.
Go to the Start menu > Control Panel.
Click Programs and Features.
Double-click Google Chrome.
Click Uninstall from the confirmation dialog. Delete your user profile information, like your browser preferences, bookmarks, and history, select the "Also delete your browsing data" checkbox.


Click Start, copy in search %LOCALAPPDATA%\ and remove folder Google

Download Chrome
https://www.google.com/intl/en/chrome/browser/desktop/

 

 

Import bookmarks

[AverageJoe]

Much better results this time around, it seems.

 

Downloaded and ran the AdwCleaner tool. At first it flashed a pop-up saying the version I was running was outdated and asked if I wanted to go to AdwCleaner's web site and download the latest version. I clicked "Cancel" and proceeded to run the version you linked in your post.

 

The scan went by fairly quick and only found a handful of entries in the Folders, Registry, and Chrome tabs. I clicked "Cleaning" and waited for it to clean everything. It then prompted me to do a system reboot. After finishing the reboot, the log file appeared on my screen. It said it was saved in my C:\AdwCleaner folder. When I checked that folder, there were two log files with a date/time created about two minutes apart. I'm guessing one is a log from before I rebooted and the other is a log for after I rebooted since my PC only takes about a minute or two to fully reboot. Either way, I attached both log files to this post since I am unsure of which one you need.

 

After the reboot, I went to uninstall Chrome. I exported my bookmarks as instructed. When I double clicked "Chrome" in the Program List, it asked me to first close all Chrome processes before continuing. I thought this was strange as I had no open Chrome windows or tabs. To my knowledge, Chrome wasn't even running because the notification icon that I usually see in my system tray in the bottom, right corner of my monitor wasn't there. I went ahead and opened Windows Task Manager and found three processes for "chrome.exe*32." When I ended one, the other two ended as well. Returned to the Programs List and double-clicked on "Chrome." This time it allowed me to uninstall. I was presented with only two checkboxes: "Also delete your browsing data" and "Make another browser my default" with a drop-down list saying "Internet Explorer." I'm assuming the "Also delete your browsing data" checkbox is all-encompassing that deletes the profile information, preferences, bookmarks, history, etc. like you said? After this, I proceeded to delete the Google folder under my %LOCALAPPDATA%\ folder.

 

Finally I launched Firefox and proceeded to download Chrome from the link you provided. Downloaded the installer, ran it as administrator, and allowed it to install/update Chrome as needed. When Chrome launched, it prompted me to sign in. I already have a Google account with all my preferences, extensions, apps, and bookmarks synced so I went ahead and logged in. It proceeded to reinstall all my extensions and apps and imported my bookmarks. For the most part, it's back to looking just like it was prior to the uninstall, except for the undesirable AdPunisher extension.

 

So far things are working great. I can open web pages, conduct searches, etc. and don't see any intrusive ads, pop-up windows, or web page redirects. I know we're probably not finished yet but I feel this is significant progress.

AdwCleanerR0.txt

AdwCleanerS0.txt

[_argus]

Scan with Farbar Recovery Scan Tool

Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Make sure that Addition option is checked.
• Press Scan button and wait.
• The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.

Please include their content into your next reply.

 

[AverageJoe]

Re-ran Farbar Recovery Scan Tool. Attached FRST.txt and Addition.txt to this post.

FRST.txt

Addition.txt

[_argus]

System is excellent. I will remove only temp files and repair policy restriction.

 

 

 

Fix with Farbar Recovery Scan Tool

This fix was created for this user for use on that particular machine.
Running it on another one may cause damage and render the system unstable.

Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

• Right-click on icon and select Run as Administrator to start the tool.
  (XP users click run after receipt of Windows Security Warning - Open File).
• Press the Fix button just once and wait.
• If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
• When finished FRST will generate a log on the Desktop, called Fixlog.txt.
  

Please attach it to your reply.

fixlist.txt

[AverageJoe]

Downloaded your fixlist.txt and saved it to the desktop. Ran Farbar Recovery Scan Tool as administrator and clicked "Fix." The process completed and put a fixlog.txt on my desktop. It did prompt for a system reboot and the message also said I wouldn't receive any further notifications. I allowed the system to fully reboot. Once finished rebooting, I launched Chrome and returned here to attach the fixlog.txt to my post.

Fixlog.txt

[_argus]

Very good, system is clean.

Glad we could help. We will delete all used tools.

 

 

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the icon and Run as administrator option.
• Make sure that these ones are checked:
  
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
    

  [*]Push Run and wait until the tool completes his work. [*]All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)
  

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.
 

[AverageJoe]

Downloaded and ran Delfix tool. Attached Delfix.txt to this post.

 

Is it okay at this point to resume using my PC as normal and re-enabling my Microsoft Security Essentials anti-virus or is there more to do?

DelFix.txt

[_argus]

Is it okay at this point to resume using my PC as normal and re-enabling my Microsoft Security Essentials anti-virus or is there more to do?

 

 

 

Only enable MSE (Microsoft Security Essentials), this is all the.

[AverageJoe]

Thanks for all your help. Is there a way you can tell from the log files if my Chrome is truly clean and shouldn't have any problems going forward or will I have to monitor its behavior over the next week or so and see if any problems return or persist? The original problem I had is I would remove the undesired extensions and ads from my Chrome and everything would seem fine for about two to three days; I didn't see any obvious signs of malware, browser hijacking or redirects, or ads. Then after about three or four days, the problem would return, all of a sudden I'd get web page redirects and sometimes ads would start appearing.

[_argus]

Thanks for all your help. Is there a way you can tell from the log files if my Chrome is truly clean and shouldn't have any problems going forward or will I have to monitor its behavior over the next week or so and see if any problems return or persist?

 

 

 

Don't worry, Chrome is okay now, all extensions are legitimate.

[AverageJoe]

Excellent, glad to hear it. I really appreciate you taking the time to help me and provide expert assistance. I haven't used my PayPal account in years but once I get it running again, I'll be sure to send you a donation for your time and effort. Thanks again!

[_argus]

Thank you so much.

 

Regards.

[AdvancedSetup]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!