Solved Chrome recently infected - random redirects & popups

[Maleko48]

My machine has BitDefender Free running and it hasn't made a peep this entire time.

Since first experiencing the popups, I have run multiple scans with:

• Malwarebytes Antimalware
• ADWcleaner
• CCleaner
• Hitman Pro
• Zemana Antimalware
• Windows Defender

Even after all showed a clean system with Chrome completely uninstalled and additional Chrome folders manually deleted from Window's hidden folders; I reinstalled Chrome and set it up how I like it only to find I am still receiving such popups. Sometimes they come in a new tab on my existing window, other times they pop up in their own new window alone. I am wondering if I missed some old Chrome installation remnants?

I have tracked the process ID from Chrome's task manager to the windows process using Process Explorer (sysinternals) and Process Lasso and the command line details appear to track back to the chrome.exe file itself, but with tons of additional commands going on that I truthfully don't know how to break down.

I attached some screen shots showing a single instance.

 

[TwinHeadedEagle]

Hello,

I don't see obvious infection on your computer. It could be done by some of your Chrome extensions, you should check/disable one by one of them.

 

[Maleko48]

Hmm, those have been the same for a while now... As long as I disable them from the extensions page within settings they shouldn't have any effect from just existing on my drive in a folder right?

 

[Vdrug]

Hi there!
I just want to chime in and say that I have the same issue as you and many others in this forum, and if you find a solution, hopefully it can solve my problem as well.
I've re-installed Chrome and even reset Chrome and used the tool that Google made to fix Chrome. I also installed Zemana, HitmanPro, CCleaner, Spybot Search and Destroy and Malwarebyte in order to scan my PC to find the culprit, but to no avail.
I get all kinds of different ads now and then, everything from naughty girls to video converting softwares. Either it opens up a new tab in a new window or in my current window of Chrome. Somehow they always pop up muted too? Most of the ads are in English, but I also got a few in Norwegian.

I am usually very careful with clicking any ads (I have uBlock Origin) and I never open any of those suspicious e-mails. I tried to check if it had something to do with any recent installations, but the only things I have installed were games through game clients that are trustworthy. The extensions I have are some I have used for 2+ years and there was never any issues with them at all. I am also the only one using this PC.
I tried to check the task manager and AppData for suspicious things running/installed, but I haven't spotted anything so far.

Crossing my fingers our problem will be solved!

 

[Maleko48]

Just found a relevant thread on the Google forums from 2015 that explains my exact situation perfectly. As I sit here typing this, I am on a fresh install of chrome browser after completely removing everything before reinstalling. It is important to note, I am not signed into my google account at the browser's profile level so none of my stuff is currently synced. I have not had a single popup this entire time. As soon as I sign my chrome browser into my profile and it syncs all my data back to my PC I immediately start getting the pops and redirects.

TL;DR:
My f***ing Google profile itself is infected...

here is the link: Google Groups

It appears to contain instructions for how to clear your Google profile's synced data but seems to have limited success... I will be reporting back as soon as I know more.

 

[Maleko48]

Also just some more info on my case in particular:

• I have removed any and all (even remotely) questionable local software from my machine that I installed recently and I keep an extremely clean and lean install of Win7.
• There are no unusual installations, toolbars, crapware, etc. showing up in Window's uninstall wizard list, nor is my CPU being loaded up with extra work.
• There are no unexpected extensions on my profiles either.
• Both of my profiles run the same set of extensions.
• I am currently narrowing down the infection between my two Chrome profiles that I use (one personal, one professional).
• After that, I will start with disabling all of my extensions, and if that proves unsuccessful, I may have to download my Google data archive and start messing around with resetting my sync'd data or settings that seem to keep causing all of this.

 

[Maleko48]

Here is the next most relevant thread I have managed to find, however it is far older from 2012:

Google Groups


My most recent redirects (that started coming as soon as I signed into my Chrome profile but that no software FULL scans are even picking up still have been to:

• Nextdoor.com

Per ADW Cleaner's log:

These are the threats that show up occasionally throughout all my scanning and re-scanning, but not consistently and when they do get cleaned they manage to find their way back. Again, all of this only happens when signing the Chrome.exe browser application itself into my google profile. If I log into my Google accounts at the website or webpage level, I have no problems.

Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Default\Web data] - startnow.com
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Default\Web data] - ask.com
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Default\Web data] - aol.com
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] - hxxp://search.conduit.com/?ctid=CT3220468&SearchSource=48
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] - startnow.com
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] - ask.com
Chrome pref Found: [C:\Users\Maleko\AppData\Local\Google\Chrome\User Data\Profile 1\Web data] - aol.com



At this point I have successfully confirmed my (newer) professional account is compromised, but I am still narrowing it further.

 

[TwinHeadedEagle]

Yes, sometimes Chrome profile gets poisoned by adware homepages or extensions and you can remove empty your sync data. After that, just login again and you should be fine.